← Back to Explore
sigmahighHunting
Legitimate Application Dropped Executable
Detects LOLBINs and applications that should not legitimately drop executable or executable-equivalent files to disk. This may indicate malware staging, process injection, or abuse of a trusted binary for payload delivery.
MITRE ATT&CK
Detection Query
selection:
Image|endswith:
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
- \certutil.exe
- \certoc.exe
- \CertReq.exe
- \Desktopimgdownldr.exe
- \esentutl.exe
- \mshta.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \hh.exe
- \finger.exe
TargetFilename|endswith:
- .com
- .dll
- .exe
- .jar
- .ocx
- .pyc
condition: selection
Author
frack113, Florian Roth (Nextron Systems)
Created
2022-08-21
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.stealthattack.t1218
Raw Content
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: |
Detects LOLBINs and applications that should not legitimately drop executable or executable-equivalent files to disk.
This may indicate malware staging, process injection, or abuse of a trusted binary for payload delivery.
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
- https://dmpdump.github.io/posts/TelegramRat/
- https://www.virustotal.com/gui/file/a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21/behavior
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2026-05-11
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.com'
- '.dll'
- '.exe'
- '.jar'
- '.ocx'
- '.pyc'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe/info.yml