← Back to Explore
sigmahighHunting
Suspicious Executable File Creation
Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
Detection Query
selection:
TargetFilename|endswith:
- :\$Recycle.Bin.exe
- :\Documents and Settings.exe
- :\MSOCache.exe
- :\PerfLogs.exe
- :\Recovery.exe
- .bat.exe
- .sys.exe
condition: selection
Author
frack113
Created
2022-09-05
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1564
Raw Content
title: Suspicious Executable File Creation
id: 74babdd6-a758-4549-9632-26535279e654
status: test
description: |
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
references:
- https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
author: frack113
date: 2022-09-05
modified: 2023-12-11
tags:
- attack.defense-evasion
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\$Recycle.Bin.exe'
- ':\Documents and Settings.exe'
- ':\MSOCache.exe'
- ':\PerfLogs.exe'
- ':\Recovery.exe'
- '.bat.exe'
- '.sys.exe'
condition: selection
falsepositives:
- Unknown
level: high