From 7c4520e948c42521d44b0774e954316c64c9ee4f Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Mon, 9 Feb 2026 18:38:31 +0100 Subject: [PATCH] feat(rules) Add Fake system root environment variable manipulation rule Identifies attempts to manipulate user-scoped Windows directory registry values to point to non-standard locations, a technique commonly abused to fake the system root directory and enable privilege escalation. --- ...root_environment_variable_manipulation.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/privilege_escalation_fake_system_root_environment_variable_manipulation.yml diff --git a/rules/privilege_escalation_fake_system_root_environment_variable_manipulation.yml b/rules/privilege_escalation_fake_system_root_environment_variable_manipulation.yml new file mode 100644 index 000000000..be2281774 --- /dev/null +++ b/rules/privilege_escalation_fake_system_root_environment_variable_manipulation.yml @@ -0,0 +1,35 @@ +name: Fake system root environment variable manipulation +id: 15613558-14cc-4d00-b13e-392df61e29c4 +version: 1.0.0 +description: | + Identifies attempts to manipulate user-scoped Windows directory registry values + to point to non-standard locations, a technique commonly abused to fake the system + root directory and enable privilege escalation. +labels: + tactic.id: TA0004 + tactic.name: Privilege Escalation + tactic.ref: https://attack.mitre.org/tactics/TA0004/ + technique.id: T1068 + technique.name: Exploitation for Privilege Escalation + technique.ref: https://attack.mitre.org/techniques/T1068/ +references: + - https://github.com/hfiref0x/UACME + +condition: > + set_value and + ps.sid != 'S-1-5-18' and + registry.path imatches + ( + 'HKEY_CURRENT_USER\\*\\windir', + 'HKEY_CURRENT_USER\\*\\systemroot' + ) and + registry.data not imatches + ( + '?:\\windows', + '?SystemRoot?' + ) and + registry.path not imatches 'HKEY_CURRENT_USER\\*\\SOFTWARE\\*' + +severity: high + +min-engine-version: 3.0.0