← Back to Explore
sigmahighHunting
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
Detection Query
selection_img:
Image|endswith:
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
- \cmdl32.exe
- \certutil.exe
- \certoc.exe
- \CertReq.exe
- \bitsadmin.exe
- \Desktopimgdownldr.exe
- \esentutl.exe
- \expand.exe
- \extrac32.exe
- \replace.exe
- \mshta.exe
- \ftp.exe
- \Ldifde.exe
- \RdrCEF.exe
- \hh.exe
- \finger.exe
- \findstr.exe
selection_locations:
TargetFilename|contains:
- :\Perflogs
- :\ProgramData\
- :\Temp\
- :\Users\Public\
- :\Windows\
- \$Recycle.Bin\
- \AppData\Local\
- \AppData\Roaming\
- \Contacts\
- \Desktop\
- \Favorites\
- \Favourites\
- \inetpub\wwwroot\
- \Music\
- \Pictures\
- \Start Menu\Programs\Startup\
- \Users\Default\
- \Videos\
condition: all of selection_*
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-12-10
Data Sources
windowsFile Events
Platforms
windows
Tags
attack.defense-evasionattack.t1218attack.command-and-controlattack.t1105
Raw Content
title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
type: similar
status: experimental
description: |
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
- https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
- attack.defense-evasion
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection_img:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\cmdl32.exe'
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
- '\bitsadmin.exe'
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
- '\expand.exe'
- '\extrac32.exe'
- '\replace.exe'
- '\mshta.exe'
- '\ftp.exe'
- '\Ldifde.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
- '\findstr.exe'
selection_locations:
TargetFilename|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml