XBAP Execution From Uncommon Locations Via PresentationHost.EXE

Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL

Sigma rule (View on GitHub)

 1title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE
 2id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f
 3status: test
 4description: |
 5        Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
 6references:
 7    - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-07-01
10modified: 2023-11-09
11tags:
12    - attack.defense-evasion
13    - attack.execution
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\presentationhost.exe'
21        - OriginalFileName: 'PresentationHost.exe'
22    selection_cli:
23        CommandLine|contains: '.xbap'
24    filter_main_generic:
25        CommandLine|contains: # Filter out legitimate locations if you find them
26            - ' C:\Windows\'
27            - ' C:\Program Files'
28    condition: all of selection* and not 1 of filter_main_*
29falsepositives:
30    - Legitimate ".xbap" being executed via "PresentationHost"
31level: medium

References

Related rules

to-top