Legitimate Application Dropped Archive

 1title: Legitimate Application Dropped Archive
 2id: 654fcc6d-840d-4844-9b07-2c3300e54a26
 3status: test
 4description: Detects programs on a Windows system that should not write an archive to disk
 5references:
 6    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
 7author: frack113, Florian Roth
 8date: 2022/08/21
 9tags:
10    - attack.defense_evasion
11    - attack.t1218
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        Image|endswith:
18            # Microsoft Office Programs Dropping Executables
19            - \winword.exe
20            - \excel.exe
21            - \powerpnt.exe
22            - \msaccess.exe
23            - \mspub.exe
24            - \eqnedt32.exe
25            - \visio.exe
26            - \wordpad.exe
27            - \wordview.exe
28            # LOLBINs that can be used to download executables
29            - \certutil.exe
30            - \certoc.exe
31            - \CertReq.exe
32            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
33            - \Desktopimgdownldr.exe
34            - \esentutl.exe
35            # - \expand.exe
36            - \finger.exe
37            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
38            - \notepad.exe
39            - \AcroRd32.exe
40            - \RdrCEF.exe
41            - \mshta.exe
42            - \hh.exe
43        TargetFilename|endswith:
44            - '.zip'
45            - '.rar'
46            - '.7z'
47            - '.diagcab'
48            - '.appx'
49    condition: selection
50falsepositives:
51    - Unknown
52level: high