Suspicious File Creation Inside Masqueraded System32 Path

Rule Info

Name
Suspicious File Creation Inside Masqueraded System32 Path
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious file creation event in the System32 directory where an adversary attempts to masquerade the path using a space between "Windows" and "\System32". This technique may be used for to bypass UAC through hijacking dll load flow abuse, logging mechanisms, or detection rules that rely on exact path matching. Attackers may leverage this to deploy malware, persistence mechanisms, or execute payloads stealthily.
Reference
https://x.com/malmoeb/status/1894679378505642442
Date
2025-02-27 00:00:00
Modified
None
Id
32c65dfe-c1f4-4184-8f0c-34146cc603f6
Tags
attack.defense-evasion attack.t1036.005
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022