From 1f269c30d64515180c4bfb7a1f47a6f35ba4bbad Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Tue, 10 Feb 2026 17:59:44 +0100
Subject: [PATCH] feat(rules): Add UAC bypass via assembly Native Image Cache
 hijack rule

Detects attempts to bypass User Account Control (UAC) by hijacking the
 .NET Native Image Cache (NativeImages) through unauthorized assembly
creation followed by execution of a high-integrity process.
---
 ...via_assembly_native_image_cache_hijack.yml | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 rules/privilege_escalation_uac_bypass_via_assembly_native_image_cache_hijack.yml

diff --git a/rules/privilege_escalation_uac_bypass_via_assembly_native_image_cache_hijack.yml b/rules/privilege_escalation_uac_bypass_via_assembly_native_image_cache_hijack.yml
new file mode 100644
index 000000000..612625be8
--- /dev/null
+++ b/rules/privilege_escalation_uac_bypass_via_assembly_native_image_cache_hijack.yml
@@ -0,0 +1,43 @@
+name: UAC bypass via assembly Native Image Cache hijack
+id: d10685d9-675c-4888-a246-85758e4c4515
+version: 1.0.0
+description: |
+  Detects attempts to bypass User Account Control (UAC) by hijacking the
+  .NET Native Image Cache (NativeImages) through unauthorized assembly
+  creation followed by execution of a high-integrity process.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1548
+  technique.name: Abuse Elevation Control Mechanism
+  technique.ref: https://attack.mitre.org/techniques/T1548/
+  subtechnique.id: T1548.002
+  subtechnique.name: Bypass User Account Control
+  subtechnique.ref: https://attack.mitre.org/techniques/T1548/002/
+references:
+  - https://github.com/hfiref0x/UACME
+
+condition: >
+  sequence
+  maxspan 1m
+    |create_file and
+     evt.pid != 4 and ps.sid != 'S-1-5-18' and
+     file.path imatches '?:\\WINDOWS\\assembly\\NativeImages_*\\*.dll' and
+     ps.exe not imatches
+                (
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
+                  '?:\\Windows\\servicing\\TrustedInstaller.exe'
+                )
+    | as e1
+    |spawn_process and
+     ps.token.integrity_level = 'HIGH' and
+     thread.callstack.summary imatches concat('ntdll.dll|KernelBase.dll|*', $e1.file.name, '|*')
+    |
+
+severity: high
+
+min-engine-version: 3.0.0