← Back to Explore
sigmahighHunting
Legitimate Application Dropped Script
Detects programs on a Windows system that should not write scripts to disk
Detection Query
selection:
Image|endswith:
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
- \certutil.exe
- \certoc.exe
- \CertReq.exe
- \Desktopimgdownldr.exe
- \esentutl.exe
- \mshta.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \hh.exe
- \finger.exe
TargetFilename|endswith:
- .ps1
- .bat
- .vbs
- .scf
- .wsf
- .wsh
condition: selection
Author
frack113, Florian Roth (Nextron Systems)
Created
2022-08-21
Data Sources
windowsFile Events
Platforms
windows
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.defense-evasion
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.ps1'
- '.bat'
- '.vbs'
- '.scf'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high