← Back to Explore
sigmahighHunting
Legitimate Application Dropped Script
Detects LOLBINs and applications that should not legitimately drop script files to disk. This may indicate malware staging or abuse of a trusted binary for script-based code execution.
MITRE ATT&CK
Detection Query
selection:
Image|endswith:
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
- \certutil.exe
- \certoc.exe
- \CertReq.exe
- \Desktopimgdownldr.exe
- \esentutl.exe
- \mshta.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \hh.exe
- \finger.exe
TargetFilename|endswith:
- .bat
- .chm
- .csproj
- .hta
- .js
- .jse
- .proj
- .ps1
- .py
- .scf
- .vbe
- .vbs
- .wsf
- .wsh
filter_main_mshta:
Image|endswith: \mshta.exe
TargetFilename|endswith: .hta
condition: selection and not 1 of filter_main_*
Author
frack113, Florian Roth (Nextron Systems)
Created
2022-08-21
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.stealthattack.t1218
Raw Content
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: |
Detects LOLBINs and applications that should not legitimately drop script files to disk.
This may indicate malware staging or abuse of a trusted binary for script-based code execution.
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
- https://dmpdump.github.io/posts/TelegramRat/
- https://www.virustotal.com/gui/file/a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21/behavior
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2026-05-11
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.bat'
- '.chm'
- '.csproj'
- '.hta'
- '.js'
- '.jse'
- '.proj'
- '.ps1'
- '.py'
- '.scf'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
filter_main_mshta:
Image|endswith: '\mshta.exe'
TargetFilename|endswith: '.hta'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script/info.yml