Legitimate Application Writing Files In Uncommon Location

Severity: high
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218` System Binary Proxy Execution
Command & Control	`T1105` Ingress Tool Transfer

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\CertReq.exe'
Image|endswith: '\Desktopimgdownldr.exe'
Image|endswith: '\Ldifde.exe'
Image|endswith: '\RdrCEF.exe'
Image|endswith: '\bitsadmin.exe'
Image|endswith: '\certoc.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\cmdl32.exe'
Image|endswith: '\eqnedt32.exe'
Image|endswith: '\esentutl.exe'
Image|endswith: '\expand.exe'
Image|endswith: '\extrac32.exe'
Image|endswith: '\findstr.exe'
Image|endswith: '\finger.exe'
Image|endswith: '\ftp.exe'
Image|endswith: '\hh.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\replace.exe'
Image|endswith: '\wordpad.exe'
Image|endswith: '\wordview.exe'

Stage 2: `all of selection_locations`

or:
TargetFilename|contains: ':\Perflogs'
TargetFilename|contains: ':\ProgramData\'
TargetFilename|contains: ':\Temp\'
TargetFilename|contains: ':\Users\Public\'
TargetFilename|contains: ':\Windows\'
TargetFilename|contains: '\$Recycle.Bin\'
TargetFilename|contains: '\AppData\Local\'
TargetFilename|contains: '\AppData\Roaming\'
TargetFilename|contains: '\Contacts\'
TargetFilename|contains: '\Desktop\'
TargetFilename|contains: '\Favorites\'
TargetFilename|contains: '\Favourites\'
TargetFilename|contains: '\Music\'
TargetFilename|contains: '\Pictures\'
TargetFilename|contains: '\Start Menu\Programs\Startup\'
TargetFilename|contains: '\Users\Default\'
TargetFilename|contains: '\Videos\'
TargetFilename|contains: '\inetpub\wwwroot\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\CertReq.exe` corpus 5 (sigma 5) `\Desktopimgdownldr.exe` corpus 4 (sigma 4) `\Ldifde.exe` `\RdrCEF.exe` corpus 4 (sigma 4) `\bitsadmin.exe` corpus 23 (sigma 23) `\certoc.exe` corpus 10 (sigma 10) `\certutil.exe` corpus 34 (sigma 34) `\cmdl32.exe` corpus 2 (sigma 2) `\eqnedt32.exe` corpus 5 (sigma 5) `\esentutl.exe` corpus 8 (sigma 8) `\expand.exe` corpus 3 (sigma 3) `\extrac32.exe` corpus 2 (sigma 2) `\findstr.exe` corpus 11 (sigma 11) `\finger.exe` corpus 9 (sigma 9) `\ftp.exe` corpus 3 (sigma 3) `\hh.exe` corpus 14 (sigma 14) `\mshta.exe` corpus 57 (sigma 57) `\replace.exe` corpus 2 (sigma 2) `\wordpad.exe` corpus 5 (sigma 5) `\wordview.exe` corpus 6 (sigma 6)
`TargetFilename`	match	`:\Perflogs` `:\ProgramData\` corpus 2 (sigma 2) `:\Temp\` corpus 3 (sigma 3) `:\Users\Public\` corpus 2 (sigma 2) `:\Windows\` `\$Recycle.Bin\` `\AppData\Local\` corpus 2 (sigma 2) `\AppData\Roaming\` corpus 2 (sigma 2) `\Contacts\` `\Desktop\` corpus 3 (sigma 3) `\Favorites\` `\Favourites\` `\Music\` `\Pictures\` `\Start Menu\Programs\Startup\` corpus 3 (sigma 3) `\Users\Default\` `\Videos\` `\inetpub\wwwroot\` corpus 2 (sigma 2)