Uncommon Child Process Of Appvlp.EXE

 1title: Uncommon Child Process Of Appvlp.EXE
 2id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
 3status: test
 4description: |
 5    Detects uncommon child processes of Appvlp.EXE
 6    Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
 7    Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
 8    or to mark a file as a system file.    
 9references:
10    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/
11author: Sreeman
12date: 2020-03-13
13modified: 2023-11-09
14tags:
15    - attack.t1218
16    - attack.defense-evasion
17    - attack.execution
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith: '\appvlp.exe'
24    # Note: Filters based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/
25    filter_main_generic:
26        Image|endswith:
27            - ':\Windows\SysWOW64\rundll32.exe'
28            - ':\Windows\System32\rundll32.exe'
29    filter_optional_office_msoasb:
30        Image|contains: ':\Program Files\Microsoft Office'
31        Image|endswith: '\msoasb.exe'
32    filter_optional_office_skype:
33        Image|contains|all:
34            - ':\Program Files\Microsoft Office'
35            - '\SkypeSrv\'
36        Image|endswith: '\SKYPESERVER.EXE'
37    filter_optional_office_msouc:
38        Image|contains: ':\Program Files\Microsoft Office'
39        Image|endswith: '\MSOUC.EXE'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Unknown
43level: medium