Unusual Executable File Creation by a System Critical Process

[metadata]
creation_date = "2020/08/19"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2026/04/30"

[rule]
author = ["Elastic"]
description = """
Identifies an unexpected executable file being created or modified by a Windows system critical process, which may
indicate activity related to remote code execution or other forms of exploitation.
"""
from = "now-9m"
index = [
    "winlogbeat-*",
    "logs-endpoint.events.file-*",
    "logs-windows.sysmon_operational-*",
    "endgame-*",
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
    "logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
name = "Unusual Executable File Creation by a System Critical Process"
risk_score = 73
rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a"
severity = "high"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Defense Evasion",
    "Tactic: Execution",
    "Resources: Investigation Guide",
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: Sysmon",
    "Data Source: Microsoft Defender XDR",
    "Data Source: SentinelOne",
    "Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
file where host.os.type == "windows" and event.type != "deletion" and
  file.extension : ("exe", "dll") and
  process.name : ("smss.exe",
                  "autochk.exe",
                  "csrss.exe",
                  "wininit.exe",
                  "services.exe",
                  "lsass.exe",
                  "winlogon.exe",
                  "userinit.exe",
                  "LogonUI.exe") and
  not (
    process.name : "smss.exe" and
    file.path : (
      "?:\\Windows\\System32\\wpbbin.exe",
      "\\Device\\HarddiskVolume*\\Windows\\System32\\wpbbin.exe"
    )
  ) and
  not (
    process.name : "lsass.exe" and
    file.path : (
      "?:\\Windows\\System32\\eac_usermode_*.dll",
      "\\Device\\HarddiskVolume*\\Windows\\System32\\eac_usermode_*.dll"
    )
  )
'''

note = """## Triage and analysis

### Investigating Unusual Executable File Creation by a System Critical Process

#### Possible investigation steps

- What exact critical-process write did the alert preserve?
  - Focus: `process.name`, `process.executable`, `file.path`, `file.extension`, and `event.action`; writer should match a critical-process name in the query.
  - Implication: escalate faster when it writes an EXE or DLL in user-writable, startup, temp, or other non-servicing paths; lower concern only for protected OS servicing paths or a repaired vendor product tree.
- Is the writer the expected protected Windows binary, not a masquerade or tampered copy?
  - Why: exploitation for defense evasion can preserve a genuine protected-process identity while changing what that process writes.
  - Focus: `process.executable`, `process.code_signature.subject_name`, and `process.code_signature.trusted`; recover `process.hash.sha256` and `process.pe.original_file_name` from matching process-start events on `host.id` and `process.entity_id` when absent. $investigate_1
  - Implication: escalate when path, signer, hash, or original file name conflicts with the expected critical process; if identity is the expected Microsoft binary, continue because exploitation can still force a genuine process to write attacker-controlled content.
- What launch and user context led to the write?
  - Why: client-side or service exploitation often appears as Office, browser, script, archive, or user-profile ancestry before an abnormal critical-process file write.
  - Focus: matching process-start event: `process.command_line`, `process.parent.executable`, `process.parent.command_line`, `process.Ext.ancestry`, and `user.id`.
  - Implication: escalate when the chain traces to Office, browser, script, archive, LOLBin, or user-profile activity before the critical-process write; lower concern only when parentage and user context align with OS servicing or one bounded product repair.
- Does the written artifact look staged or renamed rather than serviced?
  - Focus: `file.path`, `file.Ext.original.path`, `file.Ext.original.extension`, `file.Ext.header_bytes`, and `file.Ext.windows.zone_identifier`. $investigate_2
  - Implication: escalate when content is renamed into an executable extension, lands in a deceptive or writable path, carries internet provenance, or header bytes do not fit the file name.
- Did the written file become an execution target or command-line dependency?
  - Focus: same-writer file activity on `host.id` and `process.entity_id`, plus later process starts from `file.path`. $investigate_0
  - Hint: for EXE reuse, inspect later process starts where `process.executable` equals `file.path`; for DLL writes, search `process.command_line` for the path and treat a quiet result as unresolved, not benign. $investigate_5
  - Implication: escalate when the artifact executes or is referenced by follow-on commands; if the same-process file view is quiet, use the EXE or DLL recovery cue before lowering urgency.
- If local evidence remains suspicious or unresolved, does the artifact pattern recur on this host or other hosts?
  - Focus: related alerts for the same written `file.path`; add writer `process.executable` only after alert or identity confirms it. $investigate_3
  - Hint: compare related alerts for the same `host.id` and `host.name` before broadening to other assets. $investigate_4
  - Implication: broaden scope when the same artifact path, writer identity, or follow-on execution appears on multiple hosts or repeats on the same host; localize when evidence stays limited to one short-lived, well-bounded servicing chain.
- Escalate for abnormal identity, exploit-like lineage, staged content, execution/reference, or recurrence; close only when identity, lineage, artifact, and scope bind one servicing or vendor-maintenance workflow with no contradictions; preserve artifacts and escalate when evidence stays mixed or incomplete.

### False positive analysis

- Windows servicing/component repair or product/security-agent upgrade can replace binaries in protected OS or vendor paths. Confirm writer identity (`process.executable`, `process.code_signature.subject_name`, `process.hash.sha256`, `process.pe.original_file_name`), lineage (`process.parent.executable`, `process.Ext.ancestry`), and `file.path` all match one servicing or product workflow on the same `host.id`; for vendor repair, also require the path to stay inside the vendor directory and no user-writable staging, staged rename, or later execution from that path. If maintenance records are unavailable, use prior alerts from this rule for the same host and require the same protected path pattern without staged rename or later execution.
- Before creating an exception, require recurrence for the same `host.id` plus stable `process.executable`, `process.code_signature.subject_name`, parent context, and protected `file.path` pattern. Avoid exceptions on `process.name`, `file.extension`, or the whole critical-process list alone.

### Response and remediation

- If confirmed benign, reverse temporary containment and document the servicing or vendor-maintenance evidence: writer identity, parent context, written path, content indicators, and host scope. Create an exception only after the bounded pattern recurs.
- If suspicious but unconfirmed, export the alert file event and matching process-start event, preserve a copy of the written file when safe, and record the writer `process.entity_id`, `process.command_line`, `process.parent.executable`, `file.path`, and recovered `process.hash.sha256` before containment. Apply reversible containment first, such as heightened monitoring or temporary host isolation when host criticality allows, and avoid deleting the artifact until scope is clearer.
- If confirmed malicious, isolate the host when writer identity, lineage, artifact, or execution evidence establishes unauthorized activity. Record `process.entity_id`, `process.executable`, `process.command_line`, `file.path`, and recovered hashes before killing processes or deleting files; then terminate the offending process if still active and quarantine only the executable or DLL artifacts identified during investigation.
- Post-incident hardening should verify why a critical process could write executable content, restore affected files from trusted media when replacement occurred, retain process and file telemetry that supported the case, and document artifact-path or lineage variants in the incident record for future triage.
"""

setup = """## Setup

This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

### Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

- [CrowdStrike](https://ela.st/crowdstrike-integration)
- [Microsoft Defender XDR](https://ela.st/m365-defender)
- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
- [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup)
"""

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "host.name",
    "host.id",
    "user.id",
    "process.entity_id",
    "process.name",
    "process.executable",
    "process.code_signature.subject_name",
    "process.code_signature.trusted",
    "file.path",
    "file.extension",
    "file.Ext.original.path",
    "file.Ext.header_bytes",
    "file.Ext.windows.zone_identifier",
    "event.action",
]

[transform]

[[transform.investigate]]
label = "Events for the writing process on this host"
description = ""
providers = [
  [
    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[transform.investigate]]
label = "Process start for the writing process"
description = ""
providers = [
  [
    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[transform.investigate]]
label = "File activity for the written path on this host"
description = ""
providers = [
  [
    { excluded = false, field = "file.path", queryType = "phrase", value = "{{file.path}}", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[transform.investigate]]
label = "Alerts associated with the written file path"
description = ""
providers = [
  [
    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
    { excluded = false, field = "file.path", queryType = "phrase", value = "{{file.path}}", valueType = "string" }
  ]
]
relativeFrom = "now-48h/h"
relativeTo = "now"

[[transform.investigate]]
label = "Alerts associated with the host"
description = ""
providers = [
  [
    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
  ]
]
relativeFrom = "now-48h/h"
relativeTo = "now"

[[transform.investigate]]
label = "Process starts from the written file path on this host"
description = ""
providers = [
  [
    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{file.path}}", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
  ],
  [
    { excluded = false, field = "process.command_line", queryType = "phrase", value = "{{file.path}}", valueType = "string" },
    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
  ]
]
relativeFrom = "now-1h"
relativeTo = "now"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1211"
name = "Exploitation for Defense Evasion"
reference = "https://attack.mitre.org/techniques/T1211/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"