Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowtest

Creation of an Executable by an Executable

Detects the creation of an executable by another executable.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Wed Mar 09Updated Mon Feb 24297afac9-5d02-4138-8c58-b977bac60556windows
Hunting Hypothesis
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic19 selectors
detection:
    selection:
        Image|endswith: '.exe'
        TargetFilename|endswith: '.exe'
    filter_main_generic_1:
        Image|endswith:
            - ':\Windows\System32\msiexec.exe'
            - ':\Windows\system32\cleanmgr.exe'
            - ':\Windows\explorer.exe'
            - ':\WINDOWS\system32\dxgiadaptercache.exe'
            - ':\WINDOWS\system32\Dism.exe'
            - ':\Windows\System32\wuauclt.exe'
    filter_main_update:
        # Security_UserID: S-1-5-18
        # Example:
        #   TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe
        Image|endswith: ':\WINDOWS\system32\svchost.exe'
        TargetFilename|contains: ':\Windows\SoftwareDistribution\Download\'
    filter_main_upgrade:
        Image|endswith: ':\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            # Example:
            #   This example was seen during windows upgrade
            #   TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe
            - ':\WUDownloadCache\'
            - '\WindowsUpdateBox.exe'
    filter_main_windows_update_box:
        # This FP was seen during Windows Upgrade
        # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv
        Image|contains: ':\WINDOWS\SoftwareDistribution\Download\'
        Image|endswith: '\WindowsUpdateBox.Exe'
        TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
    filter_main_tiworker:
        Image|contains: ':\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    filter_main_programfiles:
        - Image|contains:
              - ':\Program Files\'
              - ':\Program Files (x86)\'
        - TargetFilename|contains:
              - ':\Program Files\'
              - ':\Program Files (x86)\'
    filter_main_defender:
        Image|contains:
            - ':\ProgramData\Microsoft\Windows Defender\'
            - ':\Program Files\Windows Defender\'
    filter_main_windows_apps:
        TargetFilename|contains: '\AppData\Local\Microsoft\WindowsApps\'
    filter_main_teams:
        Image|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
        TargetFilename|endswith:
            - '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
            - '\AppData\Local\Microsoft\Teams\stage\Squirrel.exe'
            - '\AppData\Local\Microsoft\SquirrelTemp\tempb\'
    filter_main_mscorsvw:
        # Example:
        #   ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior
        #   Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe
        #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe
        #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe
        Image|contains:
            - ':\Windows\Microsoft.NET\Framework\'
            - ':\Windows\Microsoft.NET\Framework64\'
            - ':\Windows\Microsoft.NET\FrameworkArm\'
            - ':\Windows\Microsoft.NET\FrameworkArm64\'
        Image|endswith: '\mscorsvw.exe'
        TargetFilename|contains: ':\Windows\assembly\NativeImages_'
    filter_main_vscode:
        Image|contains: '\AppData\Local\'
        Image|endswith: '\Microsoft VS Code\Code.exe'
        TargetFilename|contains: '\.vscode\extensions\'
    filter_main_githubdesktop:
        Image|endswith: '\AppData\Local\GitHubDesktop\Update.exe'
        # Example TargetFileName:
        #   \AppData\Local\SquirrelTemp\tempb\lib\net45\GitHubDesktop_ExecutionStub.exe
        #   \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe
        TargetFilename|contains: '\AppData\Local\SquirrelTemp\'
    filter_main_windows_temp:
        - Image|contains: ':\WINDOWS\TEMP\'
        - TargetFilename|contains: ':\WINDOWS\TEMP\'
    filter_optional_python:
        Image|contains: '\Python27\python.exe'
        TargetFilename|contains:
            - '\Python27\Lib\site-packages\'
            - '\Python27\Scripts\'
            - '\AppData\Local\Temp\'
    filter_optional_squirrel:
        Image|contains: '\AppData\Local\SquirrelTemp\Update.exe'
        TargetFilename|contains: '\AppData\Local'
    filter_main_temp_installers:
        - Image|contains: '\AppData\Local\Temp\'
        - TargetFilename|contains: '\AppData\Local\Temp\'
    filter_optional_chrome:
        Image|endswith: '\ChromeSetup.exe'
        TargetFilename|contains: '\Google'
    filter_main_dot_net:
        Image|contains: ':\Windows\Microsoft.NET\Framework'
        Image|endswith: '\mscorsvw.exe'
        TargetFilename|contains: ':\Windows\assembly'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Software installers

Update utilities

32bit applications launching their 64bit versions

References
1
Resolving title…
Internal Research
MITRE ATT&CK

Sub-techniques

T1587.001 · Malware

Other

detection.threat-hunting
Rule Metadata
Rule ID
297afac9-5d02-4138-8c58-b977bac60556
Status
test
Level
low
Type
Threat Hunt
Created
Wed Mar 09
Modified
Mon Feb 24
Author
François Hubaut
Path
rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml
Raw Tags
attack.resource-developmentattack.t1587.001detection.threat-hunting
View on GitHub