Unusual Executable File Creation by a System Critical Process

  1[metadata]
  2creation_date = "2020/08/19"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an unexpected executable file being created or modified by a Windows system critical process, which may
 11indicate activity related to remote code execution or other forms of exploitation.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.file-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-crowdstrike.fdr*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Unusual Executable File Creation by a System Critical Process"
 26risk_score = 73
 27rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a"
 28severity = "high"
 29tags = [
 30    "Domain: Endpoint",
 31    "OS: Windows",
 32    "Use Case: Threat Detection",
 33    "Tactic: Defense Evasion",
 34    "Tactic: Execution",
 35    "Resources: Investigation Guide",
 36    "Data Source: Elastic Endgame",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Sysmon",
 39    "Data Source: Microsoft Defender XDR",
 40    "Data Source: SentinelOne",
 41    "Data Source: Crowdstrike",
 42]
 43timestamp_override = "event.ingested"
 44type = "eql"
 45
 46query = '''
 47file where host.os.type == "windows" and event.type != "deletion" and
 48  file.extension : ("exe", "dll") and
 49  process.name : ("smss.exe",
 50                  "autochk.exe",
 51                  "csrss.exe",
 52                  "wininit.exe",
 53                  "services.exe",
 54                  "lsass.exe",
 55                  "winlogon.exe",
 56                  "userinit.exe",
 57                  "LogonUI.exe") and
 58  not (
 59    process.name : "smss.exe" and
 60    file.path : (
 61      "?:\\Windows\\System32\\wpbbin.exe",
 62      "\\Device\\HarddiskVolume*\\Windows\\System32\\wpbbin.exe"
 63    )
 64  ) and
 65  not (
 66    process.name : "lsass.exe" and
 67    file.path : (
 68      "?:\\Windows\\System32\\eac_usermode_*.dll",
 69      "\\Device\\HarddiskVolume*\\Windows\\System32\\eac_usermode_*.dll"
 70    )
 71  )
 72'''
 73
 74note = """## Triage and analysis
 75
 76### Investigating Unusual Executable File Creation by a System Critical Process
 77
 78#### Possible investigation steps
 79
 80- What exact critical-process write did the alert preserve?
 81  - Focus: `process.name`, `process.executable`, `file.path`, `file.extension`, and `event.action`; writer should match a critical-process name in the query.
 82  - Implication: escalate faster when it writes an EXE or DLL in user-writable, startup, temp, or other non-servicing paths; lower concern only for protected OS servicing paths or a repaired vendor product tree.
 83- Is the writer the expected protected Windows binary, not a masquerade or tampered copy?
 84  - Why: exploitation for defense evasion can preserve a genuine protected-process identity while changing what that process writes.
 85  - Focus: `process.executable`, `process.code_signature.subject_name`, and `process.code_signature.trusted`; recover `process.hash.sha256` and `process.pe.original_file_name` from matching process-start events on `host.id` and `process.entity_id` when absent. $investigate_1
 86  - Implication: escalate when path, signer, hash, or original file name conflicts with the expected critical process; if identity is the expected Microsoft binary, continue because exploitation can still force a genuine process to write attacker-controlled content.
 87- What launch and user context led to the write?
 88  - Why: client-side or service exploitation often appears as Office, browser, script, archive, or user-profile ancestry before an abnormal critical-process file write.
 89  - Focus: matching process-start event: `process.command_line`, `process.parent.executable`, `process.parent.command_line`, `process.Ext.ancestry`, and `user.id`.
 90  - Implication: escalate when the chain traces to Office, browser, script, archive, LOLBin, or user-profile activity before the critical-process write; lower concern only when parentage and user context align with OS servicing or one bounded product repair.
 91- Does the written artifact look staged or renamed rather than serviced?
 92  - Focus: `file.path`, `file.Ext.original.path`, `file.Ext.original.extension`, `file.Ext.header_bytes`, and `file.Ext.windows.zone_identifier`. $investigate_2
 93  - Implication: escalate when content is renamed into an executable extension, lands in a deceptive or writable path, carries internet provenance, or header bytes do not fit the file name.
 94- Did the written file become an execution target or command-line dependency?
 95  - Focus: same-writer file activity on `host.id` and `process.entity_id`, plus later process starts from `file.path`. $investigate_0
 96  - Hint: for EXE reuse, inspect later process starts where `process.executable` equals `file.path`; for DLL writes, search `process.command_line` for the path and treat a quiet result as unresolved, not benign. $investigate_5
 97  - Implication: escalate when the artifact executes or is referenced by follow-on commands; if the same-process file view is quiet, use the EXE or DLL recovery cue before lowering urgency.
 98- If local evidence remains suspicious or unresolved, does the artifact pattern recur on this host or other hosts?
 99  - Focus: related alerts for the same written `file.path`; add writer `process.executable` only after alert or identity confirms it. $investigate_3
100  - Hint: compare related alerts for the same `host.id` and `host.name` before broadening to other assets. $investigate_4
101  - Implication: broaden scope when the same artifact path, writer identity, or follow-on execution appears on multiple hosts or repeats on the same host; localize when evidence stays limited to one short-lived, well-bounded servicing chain.
102- Escalate for abnormal identity, exploit-like lineage, staged content, execution/reference, or recurrence; close only when identity, lineage, artifact, and scope bind one servicing or vendor-maintenance workflow with no contradictions; preserve artifacts and escalate when evidence stays mixed or incomplete.
103
104### False positive analysis
105
106- Windows servicing/component repair or product/security-agent upgrade can replace binaries in protected OS or vendor paths. Confirm writer identity (`process.executable`, `process.code_signature.subject_name`, `process.hash.sha256`, `process.pe.original_file_name`), lineage (`process.parent.executable`, `process.Ext.ancestry`), and `file.path` all match one servicing or product workflow on the same `host.id`; for vendor repair, also require the path to stay inside the vendor directory and no user-writable staging, staged rename, or later execution from that path. If maintenance records are unavailable, use prior alerts from this rule for the same host and require the same protected path pattern without staged rename or later execution.
107- Before creating an exception, require recurrence for the same `host.id` plus stable `process.executable`, `process.code_signature.subject_name`, parent context, and protected `file.path` pattern. Avoid exceptions on `process.name`, `file.extension`, or the whole critical-process list alone.
108
109### Response and remediation
110
111- If confirmed benign, reverse temporary containment and document the servicing or vendor-maintenance evidence: writer identity, parent context, written path, content indicators, and host scope. Create an exception only after the bounded pattern recurs.
112- If suspicious but unconfirmed, export the alert file event and matching process-start event, preserve a copy of the written file when safe, and record the writer `process.entity_id`, `process.command_line`, `process.parent.executable`, `file.path`, and recovered `process.hash.sha256` before containment. Apply reversible containment first, such as heightened monitoring or temporary host isolation when host criticality allows, and avoid deleting the artifact until scope is clearer.
113- If confirmed malicious, isolate the host when writer identity, lineage, artifact, or execution evidence establishes unauthorized activity. Record `process.entity_id`, `process.executable`, `process.command_line`, `file.path`, and recovered hashes before killing processes or deleting files; then terminate the offending process if still active and quarantine only the executable or DLL artifacts identified during investigation.
114- Post-incident hardening should verify why a critical process could write executable content, restore affected files from trusted media when replacement occurred, retain process and file telemetry that supported the case, and document artifact-path or lineage variants in the incident record for future triage.
115"""
116
117setup = """## Setup
118
119This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
120
121Setup instructions: https://ela.st/install-elastic-defend
122
123### Additional data sources
124
125This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
126
127- [CrowdStrike](https://ela.st/crowdstrike-integration)
128- [Microsoft Defender XDR](https://ela.st/m365-defender)
129- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
130- [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup)
131"""
132
133[rule.investigation_fields]
134field_names = [
135    "@timestamp",
136    "host.name",
137    "host.id",
138    "user.id",
139    "process.entity_id",
140    "process.name",
141    "process.executable",
142    "process.code_signature.subject_name",
143    "process.code_signature.trusted",
144    "file.path",
145    "file.extension",
146    "file.Ext.original.path",
147    "file.Ext.header_bytes",
148    "file.Ext.windows.zone_identifier",
149    "event.action",
150]
151
152[transform]
153
154[[transform.investigate]]
155label = "Events for the writing process on this host"
156description = ""
157providers = [
158  [
159    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
160    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
161  ]
162]
163relativeFrom = "now-1h"
164relativeTo = "now"
165
166[[transform.investigate]]
167label = "Process start for the writing process"
168description = ""
169providers = [
170  [
171    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
172    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
173    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
174    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
175  ]
176]
177relativeFrom = "now-1h"
178relativeTo = "now"
179
180[[transform.investigate]]
181label = "File activity for the written path on this host"
182description = ""
183providers = [
184  [
185    { excluded = false, field = "file.path", queryType = "phrase", value = "{{file.path}}", valueType = "string" },
186    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
187    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
188  ]
189]
190relativeFrom = "now-1h"
191relativeTo = "now"
192
193[[transform.investigate]]
194label = "Alerts associated with the written file path"
195description = ""
196providers = [
197  [
198    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
199    { excluded = false, field = "file.path", queryType = "phrase", value = "{{file.path}}", valueType = "string" }
200  ]
201]
202relativeFrom = "now-48h/h"
203relativeTo = "now"
204
205[[transform.investigate]]
206label = "Alerts associated with the host"
207description = ""
208providers = [
209  [
210    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
211    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
212  ]
213]
214relativeFrom = "now-48h/h"
215relativeTo = "now"
216
217[[transform.investigate]]
218label = "Process starts from the written file path on this host"
219description = ""
220providers = [
221  [
222    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{file.path}}", valueType = "string" },
223    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
224    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
225    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
226  ],
227  [
228    { excluded = false, field = "process.command_line", queryType = "phrase", value = "{{file.path}}", valueType = "string" },
229    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
230    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
231    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
232  ]
233]
234relativeFrom = "now-1h"
235relativeTo = "now"
236
237[[rule.threat]]
238framework = "MITRE ATT&CK"
239
240[[rule.threat.technique]]
241id = "T1211"
242name = "Exploitation for Defense Evasion"
243reference = "https://attack.mitre.org/techniques/T1211/"
244
245[rule.threat.tactic]
246id = "TA0005"
247name = "Defense Evasion"
248reference = "https://attack.mitre.org/tactics/TA0005/"
249
250[[rule.threat]]
251framework = "MITRE ATT&CK"
252
253[[rule.threat.technique]]
254id = "T1203"
255name = "Exploitation for Client Execution"
256reference = "https://attack.mitre.org/techniques/T1203/"
257
258[rule.threat.tactic]
259id = "TA0002"
260name = "Execution"
261reference = "https://attack.mitre.org/tactics/TA0002/"
262
263[[rule.threat]]
264framework = "MITRE ATT&CK"
265
266[[rule.threat.technique]]
267id = "T1068"
268name = "Exploitation for Privilege Escalation"
269reference = "https://attack.mitre.org/techniques/T1068/"
270
271[rule.threat.tactic]
272id = "TA0004"
273name = "Privilege Escalation"
274reference = "https://attack.mitre.org/tactics/TA0004/"