Unusual Executable File Creation by a System Critical Process

This detection rule identifies anomalous creation or modification of executable files by critical Windows system processes, like smss.exe, csrss.exe, and lsass.exe. Attackers may attempt to leverage these processes to evade detection, and the rule is designed to detect such activities. The rule leverages data from Elastic Defend, Microsoft Defender XDR, SentinelOne, CrowdStrike, and Sysmon. It provides investigation steps to help analysts triage and analyze potential incidents, focusing on the identity of the writing process, its lineage, and the characteristics of the written file. This rule is designed to detect potential remote code execution or other forms of exploitation targeting Windows systems. The rule logic excludes specific legitimate file paths to minimize false positives.

Attack Chain

1. An attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.
2. The attacker executes code on the system.
3. The attacker attempts to escalate privileges.
4. The attacker leverages a system critical process to create or modify an executable file.
5. The created/modified file may be a backdoor, malware component, or a tool for further exploitation.
6. The attacker uses the created executable to establish persistence.
7. The attacker uses the newly created executable to perform lateral movement.
8. The attacker achieves their objective, such as data exfiltration or system compromise.

Impact

Successful exploitation can lead to arbitrary code execution with elevated privileges. The number of victims is dependent on the scope of the initial compromise. The targeted sectors include any organization running vulnerable Windows systems. If the attack succeeds, the adversary can gain full control over the system, leading to data theft, system disruption, or further propagation of malware.

Recommendation

• Deploy the “Unusual Executable File Creation by a System Critical Process” detection rule to your SIEM and tune for your environment.
• Enable Sysmon file creation logging (Event ID 11) to enhance detection capabilities (see setup instructions in the rule source).
• Investigate any alerts generated by this rule, paying close attention to the writing process’s identity, lineage, and the characteristics of the written file as detailed in the rule’s triage and analysis section.
• Correlate alerts from this rule with other endpoint and network activity to identify the scope of the potential compromise.