Uncommon Child Process Of Appvlp.EXE
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
Sigma rule (View on GitHub)
1title: Uncommon Child Process Of Appvlp.EXE
2id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
3status: test
4description: |
5 Detects uncommon child processes of Appvlp.EXE
6 Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
7 Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
8 or to mark a file as a system file.
9references:
10 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/
11author: Sreeman
12date: 2020-03-13
13modified: 2023-11-09
14tags:
15 - attack.t1218
16 - attack.defense-evasion
17 - attack.execution
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith: '\appvlp.exe'
24 # Note: Filters based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/
25 filter_main_generic:
26 Image|endswith:
27 - ':\Windows\SysWOW64\rundll32.exe'
28 - ':\Windows\System32\rundll32.exe'
29 filter_optional_office_msoasb:
30 Image|contains: ':\Program Files\Microsoft Office'
31 Image|endswith: '\msoasb.exe'
32 filter_optional_office_skype:
33 Image|contains|all:
34 - ':\Program Files\Microsoft Office'
35 - '\SkypeSrv\'
36 Image|endswith: '\SKYPESERVER.EXE'
37 filter_optional_office_msouc:
38 Image|contains: ':\Program Files\Microsoft Office'
39 Image|endswith: '\MSOUC.EXE'
40 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42 - Unknown
43level: medium
References
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Binary Proxy Execution Via Dotnet-Trace.EXE