File Masquerading as Legitimate Binaries Dropped in Suspicious Location

Rule Info

Name
File Masquerading as Legitimate Binaries Dropped in Suspicious Location
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects instances of Legitimate binary named such as svchost.exe, rundll32.exe being dropped in suspicious location, which is highly unusual. Legitimate software typically does not create or modify svchost.exe during normal operations. Such activity could indicate malicious behavior, such as malware disguising itself as a system process or persistence mechanisms using renamed malicious executables.
Reference
https://redcanary.com/blog/threat-detection/process-masquerading/
Date
2025-02-26 00:00:00
Modified
None
Id
5064462d-e1b5-4d4b-be14-d88ae49b8622
Tags
attack.defense-evasion attack.t1036.005
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022