WinSxS Executable File Creation By Non-System Process

calendar Apr 1, 2024 · attack.execution  ·
Share on: linkedin copy

Detects the creation of binaries in the WinSxS folder by non-system processes

Sigma rule (View on GitHub)

 1title: WinSxS Executable File Creation By Non-System Process
 2id: 34746e8c-5fb8-415a-b135-0abc167e912a
 3related:
 4    - id: 64827580-e4c3-4c64-97eb-c72325d45399
 5      type: derived
 6status: test
 7description: Detects the creation of binaries in the WinSxS folder by non-system processes
 8references:
 9    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/05/11
12tags:
13    - attack.execution
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection:
19        TargetFilename|startswith: 'C:\Windows\WinSxS\'
20        TargetFilename|endswith: '.exe'
21    filter_main_system_location:
22        Image|startswith:
23            - 'C:\Windows\Systems32\'
24            - 'C:\Windows\SysWOW64\'
25            - 'C:\Windows\WinSxS\'
26    condition: selection and not 1 of filter_main_*
27falsepositives:
28    - Unknown
29level: medium

References

  • ÈÌ)-_0±çº~˜! Ø s(,2QPƉhÜÇÏ3¶|ˆ–}Iøç¹&·œÚÛ;†›„'ΕT H®2c•üä…Ò_åjÈhõ£WCcâ3 Lîý2OjÄp(š»AÙÞɳ¨¤ÂïíûË7>g‰²� ß&�Ã�M-pïA[~§Æ¹ÔÌ ÑùEÀ¼ *\?õEÂD„ĵNšæ°úþ,$ØkÜ…›÷ºz¾%}_ü“0['.Ý& )V:x¹´¼ª¶®aX...


    Read More

Related rules

to-top