Adversaries may create suspicious executable files to execute malicious code or exploit unquoted service paths. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential initial access or persistence tactics early.
Detection Rule
title: Suspicious Executable File Creation
id: 74babdd6-a758-4549-9632-26535279e654
status: test
description: |
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
references:
- https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
author: frack113
date: 2022-09-05
modified: 2023-12-11
tags:
- attack.defense-evasion
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\$Recycle.Bin.exe'
- ':\Documents and Settings.exe'
- ':\MSOCache.exe'
- ':\PerfLogs.exe'
- ':\Recovery.exe'
- '.bat.exe'
- '.sys.exe'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith ":\\$Recycle.Bin.exe" or TargetFileName endswith ":\\Documents and Settings.exe" or TargetFileName endswith ":\\MSOCache.exe" or TargetFileName endswith ":\\PerfLogs.exe" or TargetFileName endswith ":\\Recovery.exe" or TargetFileName endswith ".bat.exe" or TargetFileName endswith ".sys.exe"Scenario: A system administrator is creating a scheduled task to run a legitimate backup tool (e.g., wbadmin.exe) with a temporary .exe file for testing purposes.
Filter/Exclusion: Exclude files created by known system administrators or within specific directories used for temporary scripts (e.g., C:\Windows\Temp or C:\Users\Administrator\AppData\Local\Temp).
Scenario: A developer is using a build tool like MSBuild or Gradle to generate a temporary executable file during a CI/CD pipeline.
Filter/Exclusion: Exclude files created within known CI/CD directories (e.g., C:\Builds, C:\Projects, or C:\CI) or by specific processes like msbuild.exe, gradle.exe, or dotnet.exe.
Scenario: A user is running a legitimate security tool like Malwarebytes or Windows Defender which creates temporary executable files during a scan.
Filter/Exclusion: Exclude files created by known security tools (e.g., mbam.exe, MsMpEng.exe, or MsCtfMonitor.exe) or within the tool’s temporary directories.
Scenario: A system update or patching process (e.g., Windows Update, Chocolatey, or WSUS) generates a temporary executable file during installation.
Filter/Exclusion: Exclude files created by known update mechanisms (e.g., wusa.exe, choco.exe, or wsusutil.exe) or within system update directories (e.g., C:\Windows\SoftwareDistribution, C:\Windows\Temp).
Scenario: A user is running a legitimate script or tool (e.g., PowerShell, Python, or Batch) that dynamically generates a temporary executable for a specific purpose (e.g., a self-contained application