frack113
51 lines
1.6 KiB
YAML
51 lines
1.6 KiB
YAML
title: Legitimate Application Hijacked to Create an Executable
|
|
id: 9f340953-08a6-4ee5-b015-118bf4ee858d
|
|
description: Detects Executable that should not drop executable
|
|
status: experimental
|
|
author: frack113 (sigma)
|
|
references:
|
|
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
|
|
date: 2022/08/21
|
|
logsource:
|
|
product: windows
|
|
category: file_event
|
|
detection:
|
|
selection:
|
|
Image|endswith:
|
|
# Microsoft Office Programs Dropping Executables
|
|
- \winword.exe
|
|
- \excel.exe
|
|
- \powerpnt.exe
|
|
- \msaccess.exe
|
|
- \mspub.exe
|
|
- \eqnedt32.exe
|
|
- \visio.exe
|
|
- \wordpad.exe
|
|
- \wordview.exe
|
|
# LOLBINs that can be used to download executables
|
|
- \certutil.exe
|
|
- \certoc.exe
|
|
- \CertReq.exe
|
|
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
|
|
- \Desktopimgdownldr.exe
|
|
- \esentutl.exe
|
|
- \expand.exe
|
|
- \finger.exe
|
|
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
|
|
- \notepad.exe
|
|
- \AcroRd32.exe
|
|
- \RdrCEF.exe
|
|
- \mshta.exe
|
|
- \hh.exe
|
|
TargetFilename|endswith:
|
|
- '.exe'
|
|
- '.dll'
|
|
- '.ocx'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1218
|