EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Legitimate Application Dropped Archive

Detects programs on a Windows system that should not write an archive to disk

MITRE ATT&CK

T1218
defense-evasion

Detection Query

selection:
  Image|endswith:
    - \winword.exe
    - \excel.exe
    - \powerpnt.exe
    - \msaccess.exe
    - \mspub.exe
    - \eqnedt32.exe
    - \visio.exe
    - \wordpad.exe
    - \wordview.exe
    - \certutil.exe
    - \certoc.exe
    - \CertReq.exe
    - \Desktopimgdownldr.exe
    - \esentutl.exe
    - \finger.exe
    - \notepad.exe
    - \AcroRd32.exe
    - \RdrCEF.exe
    - \mshta.exe
    - \hh.exe
  TargetFilename|endswith:
    - .zip
    - .rar
    - .7z
    - .diagcab
    - .appx
condition: selection

Author

frack113, Florian Roth

Created

2022-08-21

Data Sources

windowsFile Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1218
Raw Content
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables
            - \winword.exe
            - \excel.exe
            - \powerpnt.exe
            - \msaccess.exe
            - \mspub.exe
            - \eqnedt32.exe
            - \visio.exe
            - \wordpad.exe
            - \wordview.exe
            # LOLBINs that can be used to download executables
            - \certutil.exe
            - \certoc.exe
            - \CertReq.exe
            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
            - \Desktopimgdownldr.exe
            - \esentutl.exe
            # - \expand.exe
            - \finger.exe
            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
            - \notepad.exe
            - \AcroRd32.exe
            - \RdrCEF.exe
            - \mshta.exe
            - \hh.exe
        TargetFilename|endswith:
            - '.zip'
            - '.rar'
            - '.7z'
            - '.diagcab'
            - '.appx'
    condition: selection
falsepositives:
    - Unknown
level: high