XBAP Execution From Uncommon Locations Via PresentationHost.EXE
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
Sigma rule (View on GitHub)
1title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE
2id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f
3status: test
4description: |
5 Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
6references:
7 - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-07-01
10modified: 2023-11-09
11tags:
12 - attack.defense-evasion
13 - attack.execution
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\presentationhost.exe'
21 - OriginalFileName: 'PresentationHost.exe'
22 selection_cli:
23 CommandLine|contains: '.xbap'
24 filter_main_generic:
25 CommandLine|contains: # Filter out legitimate locations if you find them
26 - ' C:\Windows\'
27 - ' C:\Program Files'
28 condition: all of selection* and not 1 of filter_main_*
29falsepositives:
30 - Legitimate ".xbap" being executed via "PresentationHost"
31level: medium
References
-
Presentationhost.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Created Files by Microsoft Sync Center