Detectionhightest
Potential Privilege Escalation Attempt Via .Exe.Local Technique
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Subhash PCreated Fri Dec 16Updated Mon Dec 1907a99744-56ac-40d2-97b7-2095967b0e03windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetFilename|startswith:
- 'C:\Windows\System32\logonUI.exe.local'
- 'C:\Windows\System32\werFault.exe.local'
- 'C:\Windows\System32\consent.exe.local'
- 'C:\Windows\System32\narrator.exe.local'
- 'C:\Windows\System32\wermgr.exe.local'
TargetFilename|endswith: '\comctl32.dll'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
07a99744-56ac-40d2-97b7-2095967b0e03
Status
test
Level
high
Type
Detection
Created
Fri Dec 16
Modified
Mon Dec 19
Path
rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalation