detection.wiki

Detection rules › Sigma

Legitimate Application Dropped Executable

Severity
high
Author
frack113, Florian Roth (Nextron Systems)
Source
upstream

Detects programs on a Windows system that should not write executables to disk

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218 System Binary Proxy Execution

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\AcroRd32.exe'
Image|endswith: '\CertReq.exe'
Image|endswith: '\Desktopimgdownldr.exe'
Image|endswith: '\RdrCEF.exe'
Image|endswith: '\certoc.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\eqnedt32.exe'
Image|endswith: '\esentutl.exe'
Image|endswith: '\finger.exe'
Image|endswith: '\hh.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\wordpad.exe'
Image|endswith: '\wordview.exe'
or:
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
TargetFilename|endswith: .ocx

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \AcroRd32.exe corpus 3 (sigma 3)
  • \CertReq.exe corpus 5 (sigma 5)
  • \Desktopimgdownldr.exe corpus 4 (sigma 4)
  • \RdrCEF.exe corpus 4 (sigma 4)
  • \certoc.exe corpus 10 (sigma 10)
  • \certutil.exe corpus 34 (sigma 34)
  • \eqnedt32.exe corpus 5 (sigma 5)
  • \esentutl.exe corpus 8 (sigma 8)
  • \finger.exe corpus 9 (sigma 9)
  • \hh.exe corpus 14 (sigma 14)
  • \mshta.exe corpus 57 (sigma 57)
  • \wordpad.exe corpus 5 (sigma 5)
  • \wordview.exe corpus 6 (sigma 6)
TargetFilenameends_with
  • .dll corpus 21 (sigma 21)
  • .exe corpus 18 (sigma 18)
  • .ocx corpus 3 (sigma 3)