Legitimate Application Writing Files In Uncommon Location

calendar Apr 28, 2026 · attack.stealth attack.t1218 attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.

Sigma rule (View on GitHub)

 1title: Legitimate Application Writing Files In Uncommon Location
 2id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
 3related:
 4    - id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
 5      type: similar
 6status: experimental
 7description: |
 8    Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
 9    Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.    
10references:
11    - https://lolbas-project.github.io/#/download
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-12-10
14tags:
15    - attack.stealth
16    - attack.t1218
17    - attack.command-and-control
18    - attack.t1105
19logsource:
20    product: windows
21    category: file_event
22detection:
23    selection_img:
24        Image|endswith:
25            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
26            - '\eqnedt32.exe'
27            - '\wordpad.exe'
28            - '\wordview.exe'
29            # LOLBINs that can be used to download executables
30            - '\cmdl32.exe'
31            - '\certutil.exe'
32            - '\certoc.exe'
33            - '\CertReq.exe'
34            - '\bitsadmin.exe'
35            - '\Desktopimgdownldr.exe'
36            - '\esentutl.exe'
37            - '\expand.exe'
38            - '\extrac32.exe'
39            - '\replace.exe'
40            - '\mshta.exe'
41            - '\ftp.exe'
42            - '\Ldifde.exe'
43            - '\RdrCEF.exe'
44            - '\hh.exe'
45            - '\finger.exe'
46            - '\findstr.exe'
47    selection_locations:
48        TargetFilename|contains:
49            - ':\Perflogs'
50            - ':\ProgramData\'
51            - ':\Temp\'
52            - ':\Users\Public\'
53            - ':\Windows\'
54            - '\$Recycle.Bin\'
55            - '\AppData\Local\'
56            - '\AppData\Roaming\'
57            - '\Contacts\'
58            - '\Desktop\'
59            - '\Favorites\'
60            - '\Favourites\'
61            - '\inetpub\wwwroot\'
62            - '\Music\'
63            - '\Pictures\'
64            - '\Start Menu\Programs\Startup\'
65            - '\Users\Default\'
66            - '\Videos\'
67    condition: all of selection_*
68falsepositives:
69    - Unknown
70level: high
71regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml

References

Related rules

to-top