Legitimate Application Writing Files In Uncommon Location

Hunt Hypothesis

Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applica

Detection Rule

Sigma (Original)

title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
    - id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
      type: similar
status: experimental
description: |
    Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
    Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
    - https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
    - attack.defense-evasion
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    product: windows
    category: file_event
detection:
    selection_img:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
            - '\eqnedt32.exe'
            - '\wordpad.exe'
            - '\wordview.exe'
            # LOLBINs that can be used to download executables
            - '\cmdl32.exe'
            - '\certutil.exe'
            - '\certoc.exe'
            - '\CertReq.exe'
            - '\bitsadmin.exe'
            - '\Desktopimgdownldr.exe'
            - '\esentutl.exe'
            - '\expand.exe'
            - '\extrac32.exe'
            - '\replace.exe'
            - '\mshta.exe'
            - '\ftp.exe'
            - '\Ldifde.exe'
            - '\RdrCEF.exe'
            - '\hh.exe'
            - '\finger.exe'
            - '\findstr.exe'
    selection_locations:
        TargetFilename|contains:
            - ':\Perflogs'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '\$Recycle.Bin\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Desktop\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml

KQL (Azure Sentinel)

imFileEvent
| where (TargetFilePath endswith "\\eqnedt32.exe" or TargetFilePath endswith "\\wordpad.exe" or TargetFilePath endswith "\\wordview.exe" or TargetFilePath endswith "\\cmdl32.exe" or TargetFilePath endswith "\\certutil.exe" or TargetFilePath endswith "\\certoc.exe" or TargetFilePath endswith "\\CertReq.exe" or TargetFilePath endswith "\\bitsadmin.exe" or TargetFilePath endswith "\\Desktopimgdownldr.exe" or TargetFilePath endswith "\\esentutl.exe" or TargetFilePath endswith "\\expand.exe" or TargetFilePath endswith "\\extrac32.exe" or TargetFilePath endswith "\\replace.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\ftp.exe" or TargetFilePath endswith "\\Ldifde.exe" or TargetFilePath endswith "\\RdrCEF.exe" or TargetFilePath endswith "\\hh.exe" or TargetFilePath endswith "\\finger.exe" or TargetFilePath endswith "\\findstr.exe") and (TargetFileName contains ":\\Perflogs" or TargetFileName contains ":\\ProgramData\\" or TargetFileName contains ":\\Temp\\" or TargetFileName contains ":\\Users\\Public\\" or TargetFileName contains ":\\Windows\\" or TargetFileName contains "\\$Recycle.Bin\\" or TargetFileName contains "\\AppData\\Local\\" or TargetFileName contains "\\AppData\\Roaming\\" or TargetFileName contains "\\Contacts\\" or TargetFileName contains "\\Desktop\\" or TargetFileName contains "\\Favorites\\" or TargetFileName contains "\\Favourites\\" or TargetFileName contains "\\inetpub\\wwwroot\\" or TargetFileName contains "\\Music\\" or TargetFileName contains "\\Pictures\\" or TargetFileName contains "\\Start Menu\\Programs\\Startup\\" or TargetFileName contains "\\Users\\Default\\" or TargetFileName contains "\\Videos\\")

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Tactic: Command and Control
• Technique: T1218 — System Binary Proxy Execution

  Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microso

• Technique: T1105 — Ingress Tool Transfer

  Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network th

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

• T1218 — System Binary Proxy Execution
• T1105 — Ingress Tool Transfer

References

• https://lolbas-project.github.io/#/download
• SigmaHQ Rule