Suspicious Legitimate Application Dropping Executable
This brief details a detection method for identifying malicious activity where legitimate Windows applications, including Living-Off-The-Land Binaries (LOLBINs) and common productivity software, are abused to drop executable files onto the disk, often indicating malware staging, persistence mechanisms, or process injection attempts.
This SigmaHQ rule focuses on detecting the abuse of legitimate Windows applications to drop executable or executable-equivalent files onto disk. This behavior is a common tactic used by threat actors for malware staging, establishing persistence, or facilitating process injection. The rule identifies specific applications, often referred to as Living-Off-The-Land Binaries (LOLBINs) like certutil.exe or mshta.exe, alongside other trusted software such as Adobe Acrobat Reader (AcroRd32.exe) and Microsoft Office components (eqnedt32.exe, wordpad.exe), when they create files with executable extensions (.com, .dll, .exe, .jar, .ocx, .pyc). This detection is crucial for identifying stealthy post-exploitation activities that bypass traditional signature-based defenses by leveraging trusted system binaries. It helps defenders uncover hidden payloads and unauthorized code execution pathways by monitoring file creation events.
Impact
If this activity goes undetected, attackers can establish a strong foothold within a compromised system. The dropped executables can be anything from custom malware, backdoors, or credential stealers to ransomware components. Successful execution of these payloads can lead to full system compromise, data exfiltration, lateral movement within the network, or encryption of critical data, severely disrupting operations and incurring significant financial and reputational damage. The use of legitimate applications makes detection challenging, increasing the likelihood of successful prolonged adversary presence.
Recommendation
- Enable Sysmon file event logging (
category: file_event) on all Windows endpoints to ensure the necessary telemetry for the provided Sigma rule. - Deploy the Sigma rule "Legitimate Application Dropped Executable" to your SIEM and tune it for your environment to detect suspicious file drops.
- Investigate all high-severity alerts generated by the "Legitimate Application Dropped Executable" rule immediately to identify potential malware staging or process injection.
Detection coverage 1
Legitimate Application Dropped Executable
highDetects LOLBINs and applications that should not legitimately drop executable or executable-equivalent files to disk, indicating malware staging, process injection, or abuse of trusted binaries.
Detection queries are available on the platform. Get full rules →