Detectionmediumtest

WinSxS Executable File Creation By Non-System Process

Detects the creation of binaries in the WinSxS folder by non-system processes

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Thu May 1134746e8c-5fb8-415a-b135-0abc167e912awindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\WinSxS\'
        TargetFilename|endswith: '.exe'
    filter_main_system_location:
        Image|startswith:
            - 'C:\Windows\Systems32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

media.defense.gov

MITRE ATT&CK

Tactics

TA0002 · Execution

Related Rules

DerivedEmerging Threathigh

SNAKE Malware WerFault Persistence File Creation

Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

34746e8c-5fb8-415a-b135-0abc167e912a

Status

test

Level

medium

Type

Detection

Created

Thu May 11

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml

Raw Tags

attack.execution

View on GitHub