← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Executable File Creation

Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1564
Rule sourcerules/windows/file/file_event/file_event_win_susp_executable_creation.yml
title: Suspicious Executable File Creation
id: 74babdd6-a758-4549-9632-26535279e654
status: test
description: |
    Detect creation of suspicious executable file names.
    Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
references:
    - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
    - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
author: frack113
date: 2022-09-05
modified: 2023-12-11
tags:
    - attack.defense-evasion
    - attack.t1564
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - ':\$Recycle.Bin.exe'
            - ':\Documents and Settings.exe'
            - ':\MSOCache.exe'
            - ':\PerfLogs.exe'
            - ':\Recovery.exe'
            - '.bat.exe'
            - '.sys.exe'
    condition: selection
falsepositives:
    - Unknown
level: high