detection.wiki

Detection rules › Sigma

Legitimate Application Dropped Script

Severity
high
Author
frack113, Florian Roth (Nextron Systems)
Source
upstream

Detects programs on a Windows system that should not write scripts to disk

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218 System Binary Proxy Execution

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\AcroRd32.exe'
Image|endswith: '\CertReq.exe'
Image|endswith: '\Desktopimgdownldr.exe'
Image|endswith: '\RdrCEF.exe'
Image|endswith: '\certoc.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\eqnedt32.exe'
Image|endswith: '\esentutl.exe'
Image|endswith: '\finger.exe'
Image|endswith: '\hh.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\wordpad.exe'
Image|endswith: '\wordview.exe'
or:
TargetFilename|endswith: .bat
TargetFilename|endswith: .ps1
TargetFilename|endswith: .scf
TargetFilename|endswith: .vbs
TargetFilename|endswith: .wsf
TargetFilename|endswith: .wsh

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \AcroRd32.exe corpus 3 (sigma 3)
  • \CertReq.exe corpus 5 (sigma 5)
  • \Desktopimgdownldr.exe corpus 4 (sigma 4)
  • \RdrCEF.exe corpus 4 (sigma 4)
  • \certoc.exe corpus 10 (sigma 10)
  • \certutil.exe corpus 34 (sigma 34)
  • \eqnedt32.exe corpus 5 (sigma 5)
  • \esentutl.exe corpus 8 (sigma 8)
  • \finger.exe corpus 9 (sigma 9)
  • \hh.exe corpus 14 (sigma 14)
  • \mshta.exe corpus 57 (sigma 57)
  • \wordpad.exe corpus 5 (sigma 5)
  • \wordview.exe corpus 6 (sigma 6)
TargetFilenameends_with
  • .bat corpus 15 (sigma 15)
  • .ps1 corpus 15 (sigma 15)
  • .scf corpus 2 (sigma 2)
  • .vbs corpus 16 (sigma 16)
  • .wsf corpus 6 (sigma 6)
  • .wsh corpus 2 (sigma 2)