An adversary may be attempting to escalate privileges by leveraging the .Exe.Local technique to execute code with elevated permissions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential privilege escalation attacks before they lead to broader system compromise.
Detection Rule
title: Potential Privilege Escalation Attempt Via .Exe.Local Technique
id: 07a99744-56ac-40d2-97b7-2095967b0e03
status: test
description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
references:
- https://github.com/binderlabs/DirCreate2System
- https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith:
- 'C:\Windows\System32\logonUI.exe.local'
- 'C:\Windows\System32\werFault.exe.local'
- 'C:\Windows\System32\consent.exe.local'
- 'C:\Windows\System32\narrator.exe.local'
- 'C:\Windows\System32\wermgr.exe.local'
TargetFilename|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFileName startswith "C:\\Windows\\System32\\logonUI.exe.local" or TargetFileName startswith "C:\\Windows\\System32\\werFault.exe.local" or TargetFileName startswith "C:\\Windows\\System32\\consent.exe.local" or TargetFileName startswith "C:\\Windows\\System32\\narrator.exe.local" or TargetFileName startswith "C:\\Windows\\System32\\wermgr.exe.local") and TargetFileName endswith "\\comctl32.dll"Scenario: Scheduled Task Execution via .Exe.Local
Description: A legitimate scheduled task is configured to run a .exe file using the .Local syntax to execute under the context of the local system account.
Filter/Exclusion: Check for CommandLine containing schtasks.exe or schtasks /create and exclude tasks with known legitimate names (e.g., Windows Task Scheduler or Daily Maintenance).
Scenario: Admin Tool Execution via .Exe.Local
Description: An administrator is using a legitimate tool like PsExec or PSTools to execute a process on a remote machine using the .Local syntax.
Filter/Exclusion: Filter out processes where the executable is known admin tools (e.g., psexec.exe, PsExec.exe) and check for presence of \\ in the command line to identify remote execution.
Scenario: Local System Service Initialization
Description: A service is configured to run under the Local System account, and the service executable is launched using the .Local syntax.
Filter/Exclusion: Check for services with known service names (e.g., Spooler, EventLog), and exclude processes where the executable is a known system service (e.g., svchost.exe, services.exe).
Scenario: PowerShell Script Execution via .Exe.Local
Description: A PowerShell script is executed using a .exe wrapper (e.g., powershell.exe -Command) with the .Local syntax to run under the local system context.
Filter/Exclusion: Filter out processes where the command line includes powershell.exe and check for presence of -Command or -File to identify legitimate script execution.
Scenario: User-Initiated Local Admin Task