Command or Scripting Interpreter Creating EXE File
Detects the suspicious child use of shell or scripting interpreter to create a file ending in exe.
Sigma rule (View on GitHub)
1title: Command or Scripting Interpreter Creating EXE File
2id: 47d68f87-d0f0-4386-8362-d62b7135a494
3status: experimental
4description: Detects the suspicious child use of shell or scripting interpreter to create a file ending in exe.
5references:
6 - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
7 - https://github.com/electron/rcedit
8author: Micah Babinski
9date: 2022/12/11
10tags:
11 - attack.defense_evasion
12 - attack.t1036.003
13 - attack.t1036
14logsource:
15 category: file_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith:
20 - '\cmd.exe'
21 - '\powershell.exe'
22 - '\powershell_ise.exe'
23 - '\wscript.exe'
24 - '\python.exe'
25 - '\pythonw.exe'
26 TargetFilename|endswith: '.exe'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
We are using an application control solution which denies access for some exes according to their original filename. Is it possible to change original filename with hex editor or another method?
Read More -
Command line tool to edit resources of exe. Contribute to electron/rcedit development by creating an account on GitHub.
Read More
Related rules
- File Creation of Executables in Temp Folders (Event 4663)
- Process Creation without .exe File Extension
- Unexpected Internal Process Name
- Process Executing with Unusual Command Lines
- Process Executing with Unusual Command Lines