← Back to Explore
sigmalowHunting
Creation of an Executable by an Executable
Detects the creation of an executable by another executable.
Detection Query
selection:
Image|endswith: .exe
TargetFilename|endswith: .exe
filter_main_generic_1:
Image|endswith:
- :\Windows\System32\msiexec.exe
- :\Windows\system32\cleanmgr.exe
- :\Windows\explorer.exe
- :\WINDOWS\system32\dxgiadaptercache.exe
- :\WINDOWS\system32\Dism.exe
- :\Windows\System32\wuauclt.exe
filter_main_update:
Image|endswith: :\WINDOWS\system32\svchost.exe
TargetFilename|contains: :\Windows\SoftwareDistribution\Download\
filter_main_upgrade:
Image|endswith: :\Windows\system32\svchost.exe
TargetFilename|contains|all:
- :\WUDownloadCache\
- \WindowsUpdateBox.exe
filter_main_windows_update_box:
Image|contains: :\WINDOWS\SoftwareDistribution\Download\
Image|endswith: \WindowsUpdateBox.Exe
TargetFilename|contains: :\$WINDOWS.~BT\Sources\
filter_main_tiworker:
Image|contains: :\Windows\WinSxS\
Image|endswith: \TiWorker.exe
filter_main_programfiles:
- Image|contains:
- :\Program Files\
- :\Program Files (x86)\
- TargetFilename|contains:
- :\Program Files\
- :\Program Files (x86)\
filter_main_defender:
Image|contains:
- :\ProgramData\Microsoft\Windows Defender\
- :\Program Files\Windows Defender\
filter_main_windows_apps:
TargetFilename|contains: \AppData\Local\Microsoft\WindowsApps\
filter_main_teams:
Image|endswith: \AppData\Local\Microsoft\Teams\Update.exe
TargetFilename|endswith:
- \AppData\Local\Microsoft\Teams\stage\Teams.exe
- \AppData\Local\Microsoft\Teams\stage\Squirrel.exe
- \AppData\Local\Microsoft\SquirrelTemp\tempb\
filter_main_mscorsvw:
Image|contains:
- :\Windows\Microsoft.NET\Framework\
- :\Windows\Microsoft.NET\Framework64\
- :\Windows\Microsoft.NET\FrameworkArm\
- :\Windows\Microsoft.NET\FrameworkArm64\
Image|endswith: \mscorsvw.exe
TargetFilename|contains: :\Windows\assembly\NativeImages_
filter_main_vscode:
Image|contains: \AppData\Local\
Image|endswith: \Microsoft VS Code\Code.exe
TargetFilename|contains: \.vscode\extensions\
filter_main_githubdesktop:
Image|endswith: \AppData\Local\GitHubDesktop\Update.exe
TargetFilename|contains: \AppData\Local\SquirrelTemp\
filter_main_windows_temp:
- Image|contains: :\WINDOWS\TEMP\
- TargetFilename|contains: :\WINDOWS\TEMP\
filter_optional_python:
Image|contains: \Python27\python.exe
TargetFilename|contains:
- \Python27\Lib\site-packages\
- \Python27\Scripts\
- \AppData\Local\Temp\
filter_optional_squirrel:
Image|contains: \AppData\Local\SquirrelTemp\Update.exe
TargetFilename|contains: \AppData\Local
filter_main_temp_installers:
- Image|contains: \AppData\Local\Temp\
- TargetFilename|contains: \AppData\Local\Temp\
filter_optional_chrome:
Image|endswith: \ChromeSetup.exe
TargetFilename|contains: \Google
filter_main_dot_net:
Image|contains: :\Windows\Microsoft.NET\Framework
Image|endswith: \mscorsvw.exe
TargetFilename|contains: :\Windows\assembly
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
Author
frack113
Created
2022-03-09
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.resource-developmentattack.t1587.001detection.threat-hunting
Raw Content
title: Creation of an Executable by an Executable
id: 297afac9-5d02-4138-8c58-b977bac60556
status: test
description: Detects the creation of an executable by another executable.
references:
- Internal Research
author: frack113
date: 2022-03-09
modified: 2025-02-24
tags:
- attack.resource-development
- attack.t1587.001
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '.exe'
TargetFilename|endswith: '.exe'
filter_main_generic_1:
Image|endswith:
- ':\Windows\System32\msiexec.exe'
- ':\Windows\system32\cleanmgr.exe'
- ':\Windows\explorer.exe'
- ':\WINDOWS\system32\dxgiadaptercache.exe'
- ':\WINDOWS\system32\Dism.exe'
- ':\Windows\System32\wuauclt.exe'
filter_main_update:
# Security_UserID: S-1-5-18
# Example:
# TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe
Image|endswith: ':\WINDOWS\system32\svchost.exe'
TargetFilename|contains: ':\Windows\SoftwareDistribution\Download\'
filter_main_upgrade:
Image|endswith: ':\Windows\system32\svchost.exe'
TargetFilename|contains|all:
# Example:
# This example was seen during windows upgrade
# TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe
- ':\WUDownloadCache\'
- '\WindowsUpdateBox.exe'
filter_main_windows_update_box:
# This FP was seen during Windows Upgrade
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv
Image|contains: ':\WINDOWS\SoftwareDistribution\Download\'
Image|endswith: '\WindowsUpdateBox.Exe'
TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
filter_main_tiworker:
Image|contains: ':\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_main_programfiles:
- Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- TargetFilename|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_defender:
Image|contains:
- ':\ProgramData\Microsoft\Windows Defender\'
- ':\Program Files\Windows Defender\'
filter_main_windows_apps:
TargetFilename|contains: '\AppData\Local\Microsoft\WindowsApps\'
filter_main_teams:
Image|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
- '\AppData\Local\Microsoft\Teams\stage\Squirrel.exe'
- '\AppData\Local\Microsoft\SquirrelTemp\tempb\'
filter_main_mscorsvw:
# Example:
# ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior
# Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\mscorsvw.exe'
TargetFilename|contains: ':\Windows\assembly\NativeImages_'
filter_main_vscode:
Image|contains: '\AppData\Local\'
Image|endswith: '\Microsoft VS Code\Code.exe'
TargetFilename|contains: '\.vscode\extensions\'
filter_main_githubdesktop:
Image|endswith: '\AppData\Local\GitHubDesktop\Update.exe'
# Example TargetFileName:
# \AppData\Local\SquirrelTemp\tempb\lib\net45\GitHubDesktop_ExecutionStub.exe
# \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe
TargetFilename|contains: '\AppData\Local\SquirrelTemp\'
filter_main_windows_temp:
- Image|contains: ':\WINDOWS\TEMP\'
- TargetFilename|contains: ':\WINDOWS\TEMP\'
filter_optional_python:
Image|contains: '\Python27\python.exe'
TargetFilename|contains:
- '\Python27\Lib\site-packages\'
- '\Python27\Scripts\'
- '\AppData\Local\Temp\'
filter_optional_squirrel:
Image|contains: '\AppData\Local\SquirrelTemp\Update.exe'
TargetFilename|contains: '\AppData\Local'
filter_main_temp_installers:
- Image|contains: '\AppData\Local\Temp\'
- TargetFilename|contains: '\AppData\Local\Temp\'
filter_optional_chrome:
Image|endswith: '\ChromeSetup.exe'
TargetFilename|contains: '\Google'
filter_main_dot_net:
Image|contains: ':\Windows\Microsoft.NET\Framework'
Image|endswith: '\mscorsvw.exe'
TargetFilename|contains: ':\Windows\assembly'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
# Please contribute to FP to increase the level
- Software installers
- Update utilities
- 32bit applications launching their 64bit versions
level: low