Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Legitimate Application Writing Files In Uncommon Location

Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Dec 101cf465a1-2609-4c15-9b66-c32dbe4bfd67windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
            - '\eqnedt32.exe'
            - '\wordpad.exe'
            - '\wordview.exe'
            # LOLBINs that can be used to download executables
            - '\cmdl32.exe'
            - '\certutil.exe'
            - '\certoc.exe'
            - '\CertReq.exe'
            - '\bitsadmin.exe'
            - '\Desktopimgdownldr.exe'
            - '\esentutl.exe'
            - '\expand.exe'
            - '\extrac32.exe'
            - '\replace.exe'
            - '\mshta.exe'
            - '\ftp.exe'
            - '\Ldifde.exe'
            - '\RdrCEF.exe'
            - '\hh.exe'
            - '\finger.exe'
            - '\findstr.exe'
    selection_locations:
        TargetFilename|contains:
            - ':\Perflogs'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '\$Recycle.Bin\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Desktop\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
lolbas-project.github.io
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

File Download Via Bitsadmin To A Suspicious Target Folder

Detects usage of bitsadmin downloading a file to a suspicious target folder

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
1cf465a1-2609-4c15-9b66-c32dbe4bfd67
Status
experimental
Level
high
Type
Detection
Created
Wed Dec 10
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml
Raw Tags
attack.defense-evasionattack.t1218attack.command-and-controlattack.t1105
View on GitHub