EXPLORE
← Back to Explore
sigmahighHunting

Legitimate Application Dropped Executable

Detects LOLBINs and applications that should not legitimately drop executable or executable-equivalent files to disk. This may indicate malware staging, process injection, or abuse of a trusted binary for payload delivery.

MITRE ATT&CK

Detection Query

selection:
  Image|endswith:
    - \eqnedt32.exe
    - \wordpad.exe
    - \wordview.exe
    - \certutil.exe
    - \certoc.exe
    - \CertReq.exe
    - \Desktopimgdownldr.exe
    - \esentutl.exe
    - \mshta.exe
    - \AcroRd32.exe
    - \RdrCEF.exe
    - \hh.exe
    - \finger.exe
  TargetFilename|endswith:
    - .com
    - .dll
    - .exe
    - .jar
    - .ocx
    - .pyc
condition: selection

Author

frack113, Florian Roth (Nextron Systems)

Created

2022-08-21

Data Sources

windowsFile Events

Platforms

windows

Tags

attack.stealthattack.t1218
Raw Content
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: |
    Detects LOLBINs and applications that should not legitimately drop executable or executable-equivalent files to disk.
    This may indicate malware staging, process injection, or abuse of a trusted binary for payload delivery.
references:
    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
    - https://dmpdump.github.io/posts/TelegramRat/
    - https://www.virustotal.com/gui/file/a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21/behavior
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2026-05-11
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
            - '\eqnedt32.exe'
            - '\wordpad.exe'
            - '\wordview.exe'
            # LOLBINs that can be used to download executables
            - '\certutil.exe'
            - '\certoc.exe'
            - '\CertReq.exe'
            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
            - '\Desktopimgdownldr.exe'
            - '\esentutl.exe'
            # - \expand.exe
            - '\mshta.exe'
            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
            - '\AcroRd32.exe'
            - '\RdrCEF.exe'
            - '\hh.exe'
            - '\finger.exe'
        TargetFilename|endswith:
            - '.com'
            - '.dll'
            - '.exe'
            - '.jar'
            - '.ocx'
            - '.pyc'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe/info.yml