← Back to Explore
sigmahighHunting
Legitimate Application Dropped Executable
Detects programs on a Windows system that should not write executables to disk
Detection Query
selection:
Image|endswith:
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
- \certutil.exe
- \certoc.exe
- \CertReq.exe
- \Desktopimgdownldr.exe
- \esentutl.exe
- \mshta.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \hh.exe
- \finger.exe
TargetFilename|endswith:
- .exe
- .dll
- .ocx
condition: selection
Author
frack113, Florian Roth (Nextron Systems)
Created
2022-08-21
Data Sources
windowsFile Events
Platforms
windows
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.defense-evasion
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: high