Potential Fake Instance Of Hxtsr.EXE Executed
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Sigma rule (View on GitHub)
1title: Potential Fake Instance Of Hxtsr.EXE Executed
2id: 4e762605-34a8-406d-b72e-c1a089313320
3status: test
4description: |
5 HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
6 HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
7 Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
8references:
9 - Internal Research
10author: Sreeman
11date: 2020-04-17
12modified: 2024-02-08
13tags:
14 - attack.defense-evasion
15 - attack.t1036
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 # TODO: Link this to the more generic system process rule
21 selection:
22 Image|endswith: '\hxtsr.exe'
23 filter_main_hxtsr:
24 Image|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_'
25 Image|endswith: '\hxtsr.exe'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution