WinSxS Executable File Creation By Non-System Process

Hunt Hypothesis

The hypothesis is that an adversary is leveraging non-system processes to create malicious binaries in the WinSxS folder to evade detection or persist within the system. SOC teams should proactively hunt for this behavior in Azure Sentinel as it indicates potential compromise and unauthorized modification of system components.

Detection Rule

Sigma (Original)

title: WinSxS Executable File Creation By Non-System Process
id: 34746e8c-5fb8-415a-b135-0abc167e912a
related:
    - id: 64827580-e4c3-4c64-97eb-c72325d45399
      type: derived
status: test
description: Detects the creation of binaries in the WinSxS folder by non-system processes
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-11
tags:
    - attack.execution
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\WinSxS\'
        TargetFilename|endswith: '.exe'
    filter_main_system_location:
        Image|startswith:
            - 'C:\Windows\Systems32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imFileEvent
| where (TargetFileName startswith "C:\\Windows\\WinSxS\\" and TargetFileName endswith ".exe") and (not((TargetFilePath startswith "C:\\Windows\\Systems32\\" or TargetFilePath startswith "C:\\Windows\\SysWOW64\\" or TargetFilePath startswith "C:\\Windows\\WinSxS\\")))

False Positive Guidance

• Scenario: A system administrator uses the DISM tool to refresh Windows system files, which may create temporary files in the WinSxS folder.
  Filter/Exclusion: Check for processes with the full path C:\Windows\System32\dism.exe or use a process name filter for dism.exe.

• Scenario: A scheduled task runs a PowerShell script that temporarily creates files in the WinSxS folder as part of a deployment or patching process.
  Filter/Exclusion: Exclude processes associated with the task scheduler (svchost.exe with the TaskScheduler service) or use a custom field for the task name.

• Scenario: A legitimate software update or patching tool (e.g., Microsoft Endpoint Configuration Manager or SCCM) creates files in the WinSxS folder during an update.
  Filter/Exclusion: Exclude processes with the parent process svchost.exe or use a custom field for the tool name (e.g., Microsoft Endpoint Configuration Manager).

• Scenario: A user manually runs a system file check using sfc /scannow, which may temporarily create files in the WinSxS folder.
  Filter/Exclusion: Exclude processes with the full path C:\Windows\System32\sfc.exe or use a process name filter for sfc.exe.

• Scenario: A third-party application or tool (e.g., Microsoft Deployment Toolkit) performs system imaging or deployment tasks that involve the WinSxS folder.
  Filter/Exclusion: Exclude processes associated with known deployment tools or use a custom field for the tool name (e.g., Microsoft Deployment Toolkit).

MITRE ATT&CK Context

• Tactic: Execution