How can an attacker forge a normal UAC prompt by simulating a trusted directory?

The attacker creates a simulated trusted directory and places a malicious executable requiring administrator privileges (e.g., `testuac.exe`) under a legitimate system name like `diskpart.exe`. When executed, UAC displays the path as the trusted `diskpart.exe`, but the missing signature triggers a warning. To fully spoof the prompt, the attacker can use tools like SigThief to steal an Authenticode signature from a legitimate file (e.g., `consent.exe`) and attach it to the malicious binary. This technique builds on the concepts discussed in Analysis of UAC Bypass Exploitation by Mocking Trusted Directories.