heroui logo

Legitimate Application Dropped Executable

Sigma Rules

View Source
Summary
This rule aims to identify potentially malicious activity where legitimate applications on Windows systems are detected attempting to write executable files (e.g., .exe, .dll, .ocx) to disk. It focuses on several known legitimate applications, including command-line utilities and productivity tools, which are unlikely to typically engage in such behavior under normal circumstances. The detection leverages rule conditions that trigger whenever these specific applications are found to produce the described file types, highlighting a red flag for possible defense evasion tactics employed by threat actors. The rule relies on data from the Windows file event logs and uses filename suffix checks to catch suspicious writes to disk. Potential false positives have been noted for unknown cases; thus, careful analysis of alerts is recommended to avoid misinterpretation before concluding malicious intent. Effective monitoring enabled by this rule can help organizations quickly respond to potential threats without blurring the lines between benign and malicious activities.
Categories
  • Windows
  • Endpoint
Data Sources
  • File
  • Process
Created: 2022-08-21