Skip to content
Threat Feed
high advisory

Unusual Executable File Creation by System Critical Process

This rule detects the creation or modification of executable files by Windows system-critical processes, potentially indicating remote code execution or other forms of exploitation for defense evasion, execution, or privilege escalation.

This detection rule identifies suspicious activity where Windows system-critical processes are creating or modifying executable files (.exe or .dll). System processes such as smss.exe, autochk.exe, csrss.exe, wininit.exe, services.exe, lsass.exe, winlogon.exe, userinit.exe, and LogonUI.exe generally do not create or modify arbitrary executables. This activity can indicate that a vulnerability has been exploited, a system process has been compromised, or that a malicious process is masquerading as a system-critical process for the purposes of defense evasion, execution, or privilege escalation. The rule is designed to work across various data sources like Winlogbeat, Sysmon, Elastic Defend, Microsoft Defender XDR, SentinelOne, and Crowdstrike.

Attack Chain

  1. Initial compromise of a system through an unpatched vulnerability or social engineering.
  2. Attacker gains initial access and attempts to escalate privileges.
  3. Exploit is used to inject malicious code into a system critical process (e.g., lsass.exe).
  4. The compromised system process is used to create a malicious executable file on disk.
  5. The created executable (.exe or .dll) is written to a location on the filesystem.
  6. The malicious executable is executed, either directly or through another system process.
  7. The attacker leverages the executed code to establish persistence, move laterally, or exfiltrate data.
  8. Final objective depends on attacker goals: data theft, ransomware deployment, or long-term access.

Impact

A successful attack exploiting this behavior can lead to complete system compromise, potentially affecting all data and services provided by the compromised host. Depending on the system process that's compromised, the attacker might gain elevated privileges, allowing them to move laterally within the network and compromise other systems. The impact could range from data theft and service disruption to full ransomware deployment across the organization.

Recommendation

  • Enable file creation and modification logging via Sysmon to effectively detect the behavior flagged by this rule.
  • Deploy the Sigma rule "Unusual Executable File Creation by a System Critical Process" to your SIEM and tune for your environment.
  • Prioritize investigation of alerts generated by the Sigma rule, focusing on identifying the root cause of the file creation event.
  • Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence to identify any suspicious activity.

Detection coverage 2

Unusual Executable File Creation by System Process

high

Detects the creation of executable files by system processes, which may indicate exploitation.

sigma tactics: defense_evasion techniques: T1211 sources: file_event, windows

System Process Modifying Executable

medium

Detects modification of existing executable files by critical system processes, indicating potential code injection or exploitation.

sigma tactics: defense_evasion techniques: T1211 sources: file_event, windows

Detection queries are available on the platform. Get full rules →