XBAP Execution From Uncommon Locations Via PresentationHost.EXE

calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
Share on: linkedin copy

Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL

Sigma rule (View on GitHub)

 1title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE
 2id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f
 3status: test
 4description: |
 5        Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
 6references:
 7    - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/07/01
10modified: 2023/11/09
11tags:
12    - attack.defense_evasion
13    - attack.execution
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\presentationhost.exe'
21        - OriginalFileName: 'PresentationHost.exe'
22    selection_cli:
23        CommandLine|contains: '.xbap'
24    filter_main_generic:
25        CommandLine|contains: # Filter out legitimate locations if you find them
26            - ' C:\Windows\'
27            - ' C:\Program Files'
28    condition: all of selection* and not 1 of filter_main_*
29falsepositives:
30    - Legitimate ".xbap" being executed via "PresentationHost"
31level: medium

References

  • Presentationhost | LOLBAS

    Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...


    Read More

Related rules

to-top