Files dropped by Winnti malware, as identified in the RedMimicry playbook, indicate potential adversary persistence and execution capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Winnti infections before they establish deeper network access.
Detection Rule
title: Potential Winnti Dropper Activity
id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
status: test
description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
references:
- https://redmimicry.com/posts/redmimicry-winnti/#dropper
author: Alexander Rausch
date: 2020-06-24
modified: 2023-01-05
tags:
- attack.defense-evasion
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\gthread-3.6.dll'
- '\sigcmm-2.4.dll'
- '\Windows\Temp\tmp.bat'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith "\\gthread-3.6.dll" or TargetFileName endswith "\\sigcmm-2.4.dll" or TargetFileName endswith "\\Windows\\Temp\\tmp.bat"Scenario: Legitimate Windows Update Installer (e.g., wusa.exe)
Description: The wusa.exe tool is used by Windows to install updates and may drop temporary files that could be flagged by the rule.
Filter/Exclusion: Exclude files with the full path C:\Windows\Temp\* or check the file name against known Windows update installers.
Scenario: Scheduled Task for System Maintenance (e.g., schtasks.exe)
Description: A scheduled task might drop a file as part of a routine system cleanup or maintenance script, which could be mistaken for a Winnti dropper.
Filter/Exclusion: Exclude files created by processes with the command line containing /C schtasks.exe or by the SYSTEM account.
Scenario: Admin Tool for Remote Management (e.g., PsExec or PSTools)
Description: Administrators may use tools like PsExec to remotely execute commands and drop files on target systems for legitimate management tasks.
Filter/Exclusion: Exclude files dropped by processes with the parent process name PsExec.exe or by users with elevated privileges (e.g., Administrator).
Scenario: Antivirus Quarantine File (e.g., Quarantine.exe)
Description: Antivirus software may drop files into a quarantine directory as part of its scanning process, which could be flagged by the rule.
Filter/Exclusion: Exclude files located in directories like C:\ProgramData\Microsoft\Windows Defender\Quarantine\* or with file extensions like .quarantine.
Scenario: Log File or Temporary File from System Tools (e.g., logman.exe, eventcreate.exe)
Description: System tools such as logman.exe or `eventcreate