Detectionmediumtest
Uncommon Child Process Of Appvlp.EXE
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic5 selectors
detection:
selection:
ParentImage|endswith: '\appvlp.exe'
# Note: Filters based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/
filter_main_generic:
Image|endswith:
- ':\Windows\SysWOW64\rundll32.exe'
- ':\Windows\System32\rundll32.exe'
filter_optional_office_msoasb:
Image|contains: ':\Program Files\Microsoft Office'
Image|endswith: '\msoasb.exe'
filter_optional_office_skype:
Image|contains|all:
- ':\Program Files\Microsoft Office'
- '\SkypeSrv\'
Image|endswith: '\SKYPESERVER.EXE'
filter_optional_office_msouc:
Image|contains: ':\Program Files\Microsoft Office'
Image|endswith: '\MSOUC.EXE'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
Status
test
Level
medium
Type
Detection
Created
Fri Mar 13
Modified
Thu Nov 09
Author
Path
rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml
Raw Tags
attack.t1218attack.defense-evasionattack.execution