← Back to Explore
sigmamediumHunting
XBAP Execution From Uncommon Locations Via PresentationHost.EXE
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
Detection Query
selection_img:
- Image|endswith: \presentationhost.exe
- OriginalFileName: PresentationHost.exe
selection_cli:
CommandLine|contains: .xbap
filter_main_generic:
CommandLine|contains:
- " C:\\Windows\\"
- " C:\\Program Files"
condition: all of selection* and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-07-01
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.executionattack.stealthattack.t1218
Raw Content
title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE
id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f
status: test
description: |
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
references:
- https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-01
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\presentationhost.exe'
- OriginalFileName: 'PresentationHost.exe'
selection_cli:
CommandLine|contains: '.xbap'
filter_main_generic:
CommandLine|contains: # Filter out legitimate locations if you find them
- ' C:\Windows\'
- ' C:\Program Files'
condition: all of selection* and not 1 of filter_main_*
falsepositives:
- Legitimate ".xbap" being executed via "PresentationHost"
level: medium