Suspicious Executable File Creation
Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
Sigma rule (View on GitHub)
1title: Suspicious Executable File Creation
2id: 74babdd6-a758-4549-9632-26535279e654
3status: test
4description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
5references:
6 - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
7 - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
8author: frack113
9date: 2022/09/05
10modified: 2023/12/11
11tags:
12 - attack.defense_evasion
13 - attack.t1564
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection_double:
19 TargetFilename|endswith:
20 - ':\$Recycle.Bin.exe'
21 - ':\Documents and Settings.exe'
22 - ':\MSOCache.exe'
23 - ':\PerfLogs.exe'
24 - ':\Recovery.exe'
25 - '.bat.exe'
26 - '.sys.exe'
27 condition: 1 of selection_*
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- PUA - Process Hacker Execution
- Suspicious Creation with Colorcpl
- Detect Virtualbox Driver Installation OR Starting Of VMs
- Parent in Public Folder Suspicious Process
- Sysmon Configuration Error