Detection rules › Sigma
Uncommon Child Process Of Appvlp.EXE
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218 System Binary Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection
ParentImage|endswith: '\appvlp.exe'
Stage 2: not 1 of filter_main_generic
or:
Image|endswith: ':\Windows\SysWOW64\rundll32.exe'
Image|endswith: ':\Windows\System32\rundll32.exe'
Stage 3: not 1 of filter_optional_*
or:
Image|endswith: '\MSOUC.EXE'
Image|contains: ':\Program Files\Microsoft Office'
Image|endswith: '\SKYPESERVER.EXE'
Image|contains: ':\Program Files\Microsoft Office'
Image|contains: '\SkypeSrv\'
Image|endswith: '\msoasb.exe'
Image|contains: ':\Program Files\Microsoft Office'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
Image | match |
|
ParentImage | ends_with |
|