Adversaries may drop malicious executables through legitimate applications to evade detection and execute payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of systems where trusted applications are being abused for malicious purposes.
Detection Rule
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.defense-evasion
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFilePath endswith "\\eqnedt32.exe" or TargetFilePath endswith "\\wordpad.exe" or TargetFilePath endswith "\\wordview.exe" or TargetFilePath endswith "\\certutil.exe" or TargetFilePath endswith "\\certoc.exe" or TargetFilePath endswith "\\CertReq.exe" or TargetFilePath endswith "\\Desktopimgdownldr.exe" or TargetFilePath endswith "\\esentutl.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\AcroRd32.exe" or TargetFilePath endswith "\\RdrCEF.exe" or TargetFilePath endswith "\\hh.exe" or TargetFilePath endswith "\\finger.exe") and (TargetFileName endswith ".exe" or TargetFileName endswith ".dll" or TargetFileName endswith ".ocx")Scenario: A legitimate system update or patching tool (e.g., Windows Update, Microsoft Endpoint Manager) temporarily writes an executable to disk during installation.
Filter/Exclusion: Exclude processes associated with known update mechanisms, e.g., wuauclt.exe, msiexec.exe, or setup.exe from the process name field.
Scenario: A scheduled job runs a trusted third-party application (e.g., SCCM, Chef, or Puppet) that generates temporary executable files during configuration deployment.
Filter/Exclusion: Exclude processes running under a specific service account or with a known command-line argument associated with configuration management tools.
Scenario: An administrator manually executes a script or tool (e.g., PowerShell, Python, or a custom deployment script) that temporarily writes an executable for testing or debugging purposes.
Filter/Exclusion: Exclude processes initiated by known admin accounts (e.g., Administrator, Domain Admins) or those with a specific command-line argument indicating testing.
Scenario: A legitimate security tool (e.g., Microsoft Defender, CrowdStrike, or CrowdStrike Falcon) writes a temporary executable to disk during a scan or signature update.
Filter/Exclusion: Exclude processes associated with known security software, such as MsMpEng.exe, falcon.exe, or mfev.exe.
Scenario: A backup or restore tool (e.g., Veeam, Acronis, or Windows Backup) writes an executable during a restore operation.
Filter/Exclusion: Exclude processes associated with backup tools, such as VeeamBackup.exe, AcronisBackup.exe, or wbemcons.exe.