From 264c1ed67dbc12eef64d81a5e2eb7b03c3567fc4 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Mon, 16 Feb 2026 19:41:56 +0100
Subject: [PATCH] feat(rules): Add UAC bypass via NTFS junction DLL hijacking
 rule

Detects potential User Account Control (UAC) bypass activity leveraging NTFS junctions in combination with DLL hijacking to achieve elevated code execution. Attackers can manipulate filesystem redirection features to coerce trusted Windows components into loading malicious libraries.
---
 rules/macros/macros.yml                       |  3 ++
 ...bypass_via_ntfs_junction_dll_hijacking.yml | 51 +++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 rules/privilege_escalation_uac_bypass_via_ntfs_junction_dll_hijacking.yml

diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index 88f63f088..efd07d8ed 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -28,6 +28,9 @@
 - macro: create_new_file
   expr: evt.name = 'CreateFile' and file.operation = 'CREATE' and file.status = 'Success'
 
+- macro: create_file_supersede
+  expr: evt.name = 'CreateFile' and file.operation = 'SUPERSEDE'
+
 - macro: rename_file
   expr: evt.name = 'RenameFile'
 
diff --git a/rules/privilege_escalation_uac_bypass_via_ntfs_junction_dll_hijacking.yml b/rules/privilege_escalation_uac_bypass_via_ntfs_junction_dll_hijacking.yml
new file mode 100644
index 000000000..cf521d983
--- /dev/null
+++ b/rules/privilege_escalation_uac_bypass_via_ntfs_junction_dll_hijacking.yml
@@ -0,0 +1,51 @@
+name: UAC bypass via NTFS junction DLL hijacking
+id: 9cdfa658-e8d5-4391-a4d8-0b53f8158782
+version: 1.0.0
+description: |
+  Detects potential User Account Control (UAC) bypass activity leveraging
+  NTFS junctions in combination with DLL hijacking to achieve elevated code
+  execution. Attackers can manipulate filesystem redirection features to
+  coerce trusted Windows components into loading malicious libraries.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+
+condition: >
+  sequence
+  maxspan 2m
+    |((create_file) or (create_file_supersede)) and
+     ps.name iin ('wusa.exe', 'dllhost.exe') and
+     thread.callstack.symbols imatches ('cabinet.dll!FDICopy') and
+     file.path imatches
+              (
+                '?:\\Windows\\System32\\*.dll',
+                '?:\\Windows\\SysWoW64\\*.dll',
+                '?:\\Windows\\System32\\*.exe.local\\*.dll',
+                '?:\\Windows\\SysWoW64\\*.exe.local\\*.dll'
+              )
+    |
+    |spawn_process and
+     ps.token.integrity_level = 'HIGH' and
+     ps.exe not imatches
+                (
+                  '?:\\Windows\\System32\\WerFault.exe',
+                  '?:\\Windows\\SysWOW64\\WerFault.exe',
+                  '?:\\Windows\\System32\\wermgr.exe',
+                  '?:\\Windows\\SysWOW64\\wermgr.exe',
+                  '?:\\Windows\\System32\\conhost.exe',
+                  '?:\\Windows\\SysWOW64\\conhost.exe'
+                )
+    |
+
+severity: high
+
+min-engine-version: 3.0.0