From adbc959a1d5ed77c22b9578b22015feabc778b0e Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Fri, 19 Dec 2025 15:03:20 +0100 Subject: [PATCH 1/7] update `Windows LOLBAS Executed Outside Expected Path` --- ..._lolbas_executed_outside_expected_path.yml | 71 +- lookups/lolbas_file_path.csv | 732 ++++++------------ lookups/lolbas_file_path.yml | 6 +- 3 files changed, 302 insertions(+), 507 deletions(-) diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index fd0ea62330..417f60b96f 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -1,37 +1,51 @@ name: Windows LOLBAS Executed Outside Expected Path id: 326fdf44-b90c-4d2e-adca-1fd140b10536 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-12-18' author: Steven Dick status: production -type: TTP -description: The following analytic identifies a LOLBAS process being executed outside - of it's expected location. Processes being executed outside of expected locations - may be an indicator that an adversary is attempting to evade defenses or execute - malicious code. The LOLBAS project documents Windows native binaries that can be - abused by threat actors to perform tasks like executing malicious code. +type: Anomaly +description: | + The following analytic identifies a LOLBAS process being executed outside of it's expected location. + Processes being executed outside of expected locations may be an indicator that an adversary is attempting to evade defenses or execute malicious code. + The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -search: '| tstats `security_content_summariesonly` latest(Processes.parent_process) - as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) - as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes - where Processes.process != "unknown" AND NOT Processes.process_path IN ("*\\Program - Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") by Processes.action - Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - |`drop_dm_object_name(Processes)` | lookup lolbas_file_path lolbas_file_name as - process_name OUTPUT description as desc | lookup lolbas_file_path lolbas_file_name - as process_name lolbas_file_path as process_path OUTPUT description as is_lolbas_path - | search desc!="false" AND is_lolbas_path="false" | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_lolbas_executed_outside_expected_path_filter`' + - Sysmon EventID 1 + - Windows Event Log Security 4688 +search: | + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + FROM datamodel=Endpoint.Processes where + + NOT Processes.process_path IN ( + "*\\PROGRA~*", + "*\\Program Files \(x86\)\\", + "*\\Program Files\\", + "*:\\Windows\\System32\\*", + "*:\\Windows\\SysWOW64\\*", + "*:\\Windows\\WinSxS\\*" + ) + + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process + Processes.process_exec Processes.process_guid Processes.process_hash + Processes.process_id Processes.process_integrity_level Processes.process_name + Processes.process_path Processes.user Processes.user_id Processes.vendor_product + + |`drop_dm_object_name(Processes)` + | lookup lolbas_file_path lolbas_file_name as process_name OUTPUT description as desc + | lookup lolbas_file_path lolbas_file_name as process_name lolbas_file_path as process_path OUTPUT description as is_lolbas_path + | search desc!="false" AND is_lolbas_path="false" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_lolbas_executed_outside_expected_path_filter` how_to_implement: To implement this search, you must ingest logs that contain the process name and process path, such as with Sysmon EID 1. -known_false_positives: Vendors will often copy system exectables to a different path - for application usage. +known_false_positives: | + Vendors, third party software or update processes may use versions of the binaries listed in the lookup table from non-standard paths. + It is recommended to tune this analytic to exclude any known legitimate software or paths in your environment references: - https://attack.mitre.org/techniques/T1036/ - https://attack.mitre.org/techniques/T1036/005/ @@ -50,8 +64,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: The user $user$ executed a LOLBAS [$process_name$] from an unexpected location - on $dest$ + message: The user $user$ executed a LOLBAS [$process_name$] from an unexpected location [$process_path$] with CommandLine [$process$] on $dest$ risk_objects: - field: user type: user diff --git a/lookups/lolbas_file_path.csv b/lookups/lolbas_file_path.csv index c684d084c9..86da2657dd 100644 --- a/lookups/lolbas_file_path.csv +++ b/lookups/lolbas_file_path.csv @@ -1,476 +1,258 @@ lolbas_file_name,lolbas_file_path,description -eventvwr.exe,c:\windows\system32\*,Displays Windows Event Logs in a GUI window. -eventvwr.exe,c:\windows\syswow64\*,Displays Windows Event Logs in a GUI window. -rasautou.exe,c:\windows\system32\*,Windows Remote Access Dialer -regedit.exe,c:\windows\*,Used by Windows to manipulate registry -regedit.exe,c:\windows\syswow64\*,Used by Windows to manipulate registry -regsvr32.exe,c:\windows\system32\*,Used by Windows to register dlls -regsvr32.exe,c:\windows\syswow64\*,Used by Windows to register dlls -control.exe,c:\windows\system32\*,Binary used to launch controlpanel items in Windows -control.exe,c:\windows\syswow64\*,Binary used to launch controlpanel items in Windows -configsecuritypolicy.exe,c:\programdata\microsoft\windows defender\platform\*,Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. -configsecuritypolicy.exe,c:\program files\windows defender\*,Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. -configsecuritypolicy.exe,c:\program files\microsoft security client\*,Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. -scriptrunner.exe,c:\windows\system32\*,Execute binary through proxy binary to evade defensive counter measures -scriptrunner.exe,c:\windows\syswow64\*,Execute binary through proxy binary to evade defensive counter measures -offlinescannershell.exe,c:\program files\windows defender\offline\*,Windows Defender Offline Shell -atbroker.exe,c:\windows\system32\*,Helper binary for Assistive Technology (AT) -atbroker.exe,c:\windows\syswow64\*,Helper binary for Assistive Technology (AT) -mmc.exe,c:\windows\system32\*,Load snap-ins to locally and remotely manage Windows systems -mmc.exe,c:\windows\syswow64\*,Load snap-ins to locally and remotely manage Windows systems -mavinject.exe,c:\windows\system32\*,Used by App-v in Windows -mavinject.exe,c:\windows\syswow64\*,Used by App-v in Windows -ftp.exe,c:\windows\system32\*,A binary designed for connecting to FTP servers -ftp.exe,c:\windows\syswow64\*,A binary designed for connecting to FTP servers -ttdinject.exe,c:\windows\system32\*,Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) -ttdinject.exe,c:\windows\syswow64\*,Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) -certoc.exe,c:\windows\system32\*,Used for installing certificates -certoc.exe,c:\windows\syswow64\*,Used for installing certificates -at.exe,c:\windows\system32\*,Schedule periodic tasks -at.exe,c:\windows\syswow64\*,Schedule periodic tasks -netsh.exe,c:\windows\system32\*,Netsh is a Windows tool used to manipulate network interface settings. -netsh.exe,c:\windows\syswow64\*,Netsh is a Windows tool used to manipulate network interface settings. -pnputil.exe,c:\windows\system32\*,Used for installing drivers -ie4uinit.exe,c:\windows\system32\*,Executes commands from a specially prepared ie4uinit.inf file. -ie4uinit.exe,c:\windows\syswow64\*,Executes commands from a specially prepared ie4uinit.inf file. -infdefaultinstall.exe,c:\windows\system32\*,Binary used to perform installation based on content inside inf files -infdefaultinstall.exe,c:\windows\syswow64\*,Binary used to perform installation based on content inside inf files -forfiles.exe,c:\windows\system32\*,Selects and executes a command on a file or set of files. This command is useful for batch processing. -forfiles.exe,c:\windows\syswow64\*,Selects and executes a command on a file or set of files. This command is useful for batch processing. -register-cimprovider.exe,c:\windows\system32\*,Used to register new wmi providers -register-cimprovider.exe,c:\windows\syswow64\*,Used to register new wmi providers -tttracer.exe,c:\windows\system32\*,Used by Windows 1809 and newer to Debug Time Travel -tttracer.exe,c:\windows\syswow64\*,Used by Windows 1809 and newer to Debug Time Travel -xwizard.exe,c:\windows\system32\*,Execute custom class that has been added to the registry or download a file with Xwizard.exe -xwizard.exe,c:\windows\syswow64\*,Execute custom class that has been added to the registry or download a file with Xwizard.exe -pcalua.exe,c:\windows\system32\*,Program Compatibility Assistant -print.exe,c:\windows\system32\*,Used by Windows to send files to the printer -print.exe,c:\windows\syswow64\*,Used by Windows to send files to the printer -runscripthelper.exe,c:\windows\winsxs\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\*,Execute target PowerShell script -runscripthelper.exe,c:\windows\winsxs\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\*,Execute target PowerShell script -regasm.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,Part of .NET -regasm.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,Part of .NET -regasm.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,Part of .NET -regasm.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,Part of .NET -cmd.exe,c:\windows\system32\*,The command-line interpreter in Windows -cmd.exe,c:\windows\syswow64\*,The command-line interpreter in Windows -msbuild.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework\v3.5\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework64\v3.5\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,Used to compile and execute code -msbuild.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,Used to compile and execute code -msbuild.exe,c:\program files (x86)\msbuild\14.0\bin\*,Used to compile and execute code -certutil.exe,c:\windows\system32\*,Windows binary used for handling certificates -certutil.exe,c:\windows\syswow64\*,Windows binary used for handling certificates -vbc.exe,c:\windows\microsoft.net\framework\v*\*,Binary file used for compile vbs code -vbc.exe,c:\windows\microsoft.net\framework64\v*\*,Binary file used for compile vbs code -psr.exe,c:\windows\system32\*,"Windows Problem Steps Recorder, used to record screen and clicks." -psr.exe,c:\windows\syswow64\*,"Windows Problem Steps Recorder, used to record screen and clicks." -extexport.exe,c:\program files\internet explorer\*,Load a DLL located in the c:\test folder with a specific name. -extexport.exe,c:\program files (x86)\internet explorer\*,Load a DLL located in the c:\test folder with a specific name. -rpcping.exe,c:\windows\system32\*,Used to verify rpc connection -rpcping.exe,c:\windows\syswow64\*,Used to verify rpc connection -msdt.exe,c:\windows\system32\*,Microsoft diagnostics tool -msdt.exe,c:\windows\syswow64\*,Microsoft diagnostics tool -gfxdownloadwrapper.exe,c:\windows\system32\driverstore\filerepository\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." -dnscmd.exe,c:\windows\system32\*,A command-line interface for managing DNS servers -dnscmd.exe,c:\windows\syswow64\*,A command-line interface for managing DNS servers -wab.exe,c:\program files\windows mail\*,Windows address book manager -wab.exe,c:\program files (x86)\windows mail\*,Windows address book manager -msconfig.exe,c:\windows\system32\*,"MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows" -wscript.exe,c:\windows\system32\*,Used by Windows to execute scripts -wscript.exe,c:\windows\syswow64\*,Used by Windows to execute scripts -makecab.exe,c:\windows\system32\*,Binary to package existing files into a cabinet (.cab) file -makecab.exe,c:\windows\syswow64\*,Binary to package existing files into a cabinet (.cab) file -datasvcutil.exe,c:\windows\microsoft.net\framework64\v3.5\*,DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. -cmdl32.exe,c:\windows\system32\*,Microsoft Connection Manager Auto-Download -cmdl32.exe,c:\windows\syswow64\*,Microsoft Connection Manager Auto-Download -mshta.exe,c:\windows\system32\*,Used by Windows to execute html applications. (.hta) -mshta.exe,c:\windows\syswow64\*,Used by Windows to execute html applications. (.hta) -cmdkey.exe,c:\windows\system32\*,"creates, lists, and deletes stored user names and passwords or credentials." -cmdkey.exe,c:\windows\syswow64\*,"creates, lists, and deletes stored user names and passwords or credentials." -ilasm.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,used for compile c# code into dll or exe. -ilasm.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,used for compile c# code into dll or exe. -rdrleakdiag.exe,c:\windows\system32\*,Microsoft Windows resource leak diagnostic tool -rdrleakdiag.exe,c:\windows\syswow64\*,Microsoft Windows resource leak diagnostic tool -mpcmdrun.exe,c:\program files\windows defender\*,Binary part of Windows Defender. Used to manage settings in Windows Defender -mpcmdrun.exe,c:\programdata\microsoft\windows defender\platform\*,Binary part of Windows Defender. Used to manage settings in Windows Defender -mpcmdrun.exe,c:\program files\microsoft security client\*,Binary part of Windows Defender. Used to manage settings in Windows Defender -jsc.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,Binary file used by .NET to compile javascript code to .exe or .dll format -jsc.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,Binary file used by .NET to compile javascript code to .exe or .dll format -jsc.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,Binary file used by .NET to compile javascript code to .exe or .dll format -jsc.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,Binary file used by .NET to compile javascript code to .exe or .dll format -cmstp.exe,c:\windows\system32\*,Installs or removes a Connection Manager service profile. -cmstp.exe,c:\windows\syswow64\*,Installs or removes a Connection Manager service profile. -stordiag.exe,c:\windows\system32\*,Storage diagnostic tool -stordiag.exe,c:\windows\syswow64\*,Storage diagnostic tool -odbcconf.exe,c:\windows\system32\*,Used in Windows for managing ODBC connections -odbcconf.exe,c:\windows\syswow64\*,Used in Windows for managing ODBC connections -wlrmdr.exe,c:\windows\system32\*,Windows Logon Reminder executable -printbrm.exe,c:\windows\system32\spool\tools\*,Printer Migration Command-Line Tool -dfsvc.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,ClickOnce engine in Windows used by .NET -dfsvc.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,ClickOnce engine in Windows used by .NET -dfsvc.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,ClickOnce engine in Windows used by .NET -dfsvc.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,ClickOnce engine in Windows used by .NET -extrac32.exe,c:\windows\system32\*,"Extract to ADS, copy or overwrite a file with Extrac32.exe" -extrac32.exe,c:\windows\syswow64\*,"Extract to ADS, copy or overwrite a file with Extrac32.exe" -rundll32.exe,c:\windows\system32\*,Used by Windows to execute dll files -rundll32.exe,c:\windows\syswow64\*,Used by Windows to execute dll files -runonce.exe,c:\windows\system32\*,Executes a Run Once Task that has been configured in the registry -runonce.exe,c:\windows\syswow64\*,Executes a Run Once Task that has been configured in the registry -explorer.exe,c:\windows\*,Binary used for managing files and system components within Windows -explorer.exe,c:\windows\syswow64\*,Binary used for managing files and system components within Windows -wuauclt.exe,c:\windows\system32\*,Windows Update Client -wsreset.exe,c:\windows\system32\*,Used to reset Windows Store settings according to its manifest file -finger.exe,c:\windows\system32\*,Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -finger.exe,c:\windows\syswow64\*,Displays information about a user or users on a specified remote computer that is running the Finger service or daemon -regini.exe,c:\windows\system32\*,Used to manipulate the registry -regini.exe,c:\windows\syswow64\*,Used to manipulate the registry -reg.exe,c:\windows\system32\*,Used to manipulate the registry -reg.exe,c:\windows\syswow64\*,Used to manipulate the registry -syncappvpublishingserver.exe,c:\windows\system32\*,Used by App-v to get App-v server lists -syncappvpublishingserver.exe,c:\windows\syswow64\*,Used by App-v to get App-v server lists -bitsadmin.exe,c:\windows\system32\*,Used for managing background intelligent transfer -bitsadmin.exe,c:\windows\syswow64\*,Used for managing background intelligent transfer -msiexec.exe,c:\windows\system32\*,Used by Windows to execute msi files -msiexec.exe,c:\windows\syswow64\*,Used by Windows to execute msi files -regsvcs.exe,c:\windows\system32\*,Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies -regsvcs.exe,c:\windows\syswow64\*,Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies -gpscript.exe,c:\windows\system32\*,Used by group policy to process scripts -gpscript.exe,c:\windows\syswow64\*,Used by group policy to process scripts -diskshadow.exe,c:\windows\system32\*,Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). -diskshadow.exe,c:\windows\syswow64\*,Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). -ieexec.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. -ieexec.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. -diantz.exe,c:\windows\system32\*,Binary that package existing files into a cabinet (.cab) file -diantz.exe,c:\windows\syswow64\*,Binary that package existing files into a cabinet (.cab) file -desktopimgdownldr.exe,c:\windows\system32\*,Windows binary used to configure lockscreen/desktop image -appinstaller.exe,c:\program files\windowsapps\microsoft.desktopappinstaller_1.11.2521.0_x64__8wekyb3d8bbwe\*,Tool used for installation of AppX/MSIX applications on Windows 10 -sc.exe,c:\windows\system32\*,Used by Windows to manage services -sc.exe,c:\windows\syswow64\*,Used by Windows to manage services -replace.exe,c:\windows\system32\*,Used to replace file with another file -replace.exe,c:\windows\syswow64\*,Used to replace file with another file -schtasks.exe,c:\windows\system32\*,Schedule periodic tasks -schtasks.exe,c:\windows\syswow64\*,Schedule periodic tasks -microsoft.workflow.compiler.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,A utility included with .NET that is capable of compiling and executing C# or VB.net code. -expand.exe,c:\windows\system32\*,Binary that expands one or more compressed files -expand.exe,c:\windows\syswow64\*,Binary that expands one or more compressed files -conhost.exe,c:\windows\system32\*,Console Window host -bash.exe,c:\windows\system32\*,File used by Windows subsystem for Linux -bash.exe,c:\windows\syswow64\*,File used by Windows subsystem for Linux -pcwrun.exe,c:\windows\system32\*,Program Compatibility Wizard -fltmc.exe,c:\windows\system32\*,Filter Manager Control Program used by Windows -wmic.exe,c:\windows\system32\wbem\*,The WMI command-line (WMIC) utility provides a command-line interface for WMI -wmic.exe,c:\windows\syswow64\wbem\*,The WMI command-line (WMIC) utility provides a command-line interface for WMI -workfolders.exe,c:\windows\system32\*,Work Folders -settingsynchost.exe,c:\windows\system32\*,Host Process for Setting Synchronization -settingsynchost.exe,c:\windows\syswow64\*,Host Process for Setting Synchronization -pktmon.exe,c:\windows\system32\*,Capture Network Packets on the windows 10 with October 2018 Update or later. -pktmon.exe,c:\windows\syswow64\*,Capture Network Packets on the windows 10 with October 2018 Update or later. -aspnet_compiler.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,ASP.NET Compilation Tool -aspnet_compiler.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,ASP.NET Compilation Tool -cscript.exe,c:\windows\system32\*,Binary used to execute scripts in Windows -cscript.exe,c:\windows\syswow64\*,Binary used to execute scripts in Windows -installutil.exe,c:\windows\microsoft.net\framework\v2.0.50727\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -installutil.exe,c:\windows\microsoft.net\framework64\v2.0.50727\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -installutil.exe,c:\windows\microsoft.net\framework\v4.0.30319\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -installutil.exe,c:\windows\microsoft.net\framework64\v4.0.30319\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies -esentutl.exe,c:\windows\system32\*,Binary for working with Microsoft Joint Engine Technology (JET) database -esentutl.exe,c:\windows\syswow64\*,Binary for working with Microsoft Joint Engine Technology (JET) database -hh.exe,c:\windows\*,Binary used for processing chm files in Windows -hh.exe,c:\windows\syswow64\*,Binary used for processing chm files in Windows -findstr.exe,c:\windows\system32\*,"Write to ADS, discover, or download files with Findstr.exe" -findstr.exe,c:\windows\syswow64\*,"Write to ADS, discover, or download files with Findstr.exe" -verclsid.exe,c:\windows\system32\*,Used to verify a COM object before it is instantiated by Windows Explorer -verclsid.exe,c:\windows\syswow64\*,Used to verify a COM object before it is instantiated by Windows Explorer -certreq.exe,c:\windows\system32\*,Used for requesting and managing certificates -certreq.exe,c:\windows\syswow64\*,Used for requesting and managing certificates -csc.exe,c:\windows\microsoft.net\framework\v*\*,Binary file used by .NET to compile C# code -csc.exe,c:\windows\microsoft.net\framework64\v*\*,Binary file used by .NET to compile C# code -imewdbld.exe,c:\windows\system32\ime\shared\*,Microsoft IME Open Extended Dictionary Module -presentationhost.exe,c:\windows\system32\*,File is used for executing Browser applications -presentationhost.exe,c:\windows\syswow64\*,File is used for executing Browser applications -shell32.dll,c:\windows\system32\*,Windows Shell Common Dll -shell32.dll,c:\windows\syswow64\*,Windows Shell Common Dll -zipfldr.dll,c:\windows\system32\*,Compressed Folder library -zipfldr.dll,c:\windows\syswow64\*,Compressed Folder library -desk.cpl,c:\windows\system32\*,Desktop Settings Control Panel -desk.cpl,c:\windows\syswow64\*,Desktop Settings Control Panel -comsvcs.dll,c:\windows\system32\*,COM+ Services -setupapi.dll,c:\windows\system32\*,Windows Setup Application Programming Interface -setupapi.dll,c:\windows\syswow64\*,Windows Setup Application Programming Interface -mshtml.dll,c:\windows\system32\*,Microsoft HTML Viewer -mshtml.dll,c:\windows\syswow64\*,Microsoft HTML Viewer -advpack.dll,c:\windows\system32\*,Utility for installing software and drivers with rundll32.exe -advpack.dll,c:\windows\syswow64\*,Utility for installing software and drivers with rundll32.exe -pcwutl.dll,c:\windows\system32\*,Microsoft HTML Viewer -pcwutl.dll,c:\windows\syswow64\*,Microsoft HTML Viewer -shdocvw.dll,c:\windows\system32\*,Shell Doc Object and Control Library. -shdocvw.dll,c:\windows\syswow64\*,Shell Doc Object and Control Library. -ieframe.dll,c:\windows\system32\*,Internet Browser DLL for translating HTML code. -ieframe.dll,c:\windows\syswow64\*,Internet Browser DLL for translating HTML code. -dfshim.dll,c:\windows\microsoft.net\framework\v2.0.50727\*,ClickOnce engine in Windows used by .NET -dfshim.dll,c:\windows\microsoft.net\framework64\v2.0.50727\*,ClickOnce engine in Windows used by .NET -dfshim.dll,c:\windows\microsoft.net\framework\v4.0.30319\*,ClickOnce engine in Windows used by .NET -dfshim.dll,c:\windows\microsoft.net\framework64\v4.0.30319\*,ClickOnce engine in Windows used by .NET -url.dll,c:\windows\system32\*,Internet Shortcut Shell Extension DLL. -url.dll,c:\windows\syswow64\*,Internet Shortcut Shell Extension DLL. -ieadvpack.dll,c:\windows\system32\*,INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -ieadvpack.dll,c:\windows\syswow64\*,INF installer for Internet Explorer. Has much of the same functionality as advpack.dll. -syssetup.dll,c:\windows\system32\*,Windows NT System Setup -syssetup.dll,c:\windows\syswow64\*,Windows NT System Setup -winrm.vbs,c:\windows\system32\*,Script used for manage Windows RM settings -winrm.vbs,c:\windows\syswow64\*,Script used for manage Windows RM settings -manage-bde.wsf,c:\windows\system32\*,Script for managing BitLocker -cl_mutexverifiers.ps1,c:\windows\diagnostics\system\windowsupdate\*,Proxy execution with CL_Mutexverifiers.ps1 -cl_mutexverifiers.ps1,c:\windows\diagnostics\system\audio\*,Proxy execution with CL_Mutexverifiers.ps1 -cl_mutexverifiers.ps1,c:\windows\diagnostics\system\video\*,Proxy execution with CL_Mutexverifiers.ps1 -cl_mutexverifiers.ps1,c:\windows\diagnostics\system\speech\*,Proxy execution with CL_Mutexverifiers.ps1 -pubprn.vbs,c:\windows\system32\printing_admin_scripts\en-us\*,Proxy execution with Pubprn.vbs -pubprn.vbs,c:\windows\syswow64\printing_admin_scripts\en-us\*,Proxy execution with Pubprn.vbs -pester.bat,c:\program files\windowspowershell\modules\pester\3.4.0\bin\*,Used as part of the Powershell pester -pester.bat,c:\program files\windowspowershell\modules\pester\*\bin\*,Used as part of the Powershell pester -cl_loadassembly.ps1,c:\windows\diagnostics\system\audio\*,PowerShell Diagnostic Script -syncappvpublishingserver.vbs,c:\windows\system32\*,Script used related to app-v and publishing server -cl_invocation.ps1,c:\windows\diagnostics\system\aero\*,Aero diagnostics script -cl_invocation.ps1,c:\windows\diagnostics\system\audio\*,Aero diagnostics script -cl_invocation.ps1,c:\windows\diagnostics\system\windowsupdate\*,Aero diagnostics script -utilityfunctions.ps1,c:\windows\diagnostics\system\networking\*,PowerShell Diagnostic Script -coregen.exe,c:\program files\microsoft silverlight\5.1.50918.0\*,"Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within ""C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight." -coregen.exe,c:\program files (x86)\microsoft silverlight\5.1.50918.0\*,"Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within ""C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight." -fsi.exe,c:\program files\dotnet\sdk\[sdk version]\fsharp\*,64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. -fsi.exe,c:\program files (x86)\microsoft visual studio\2019\professional\common7\ide\commonextensions\microsoft\fsharp\*,64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. -visualuiaverifynative.exe,c:\program files (x86)\windows kits\10\bin\[sdk version]\arm64\uiaverify\*,A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -visualuiaverifynative.exe,c:\program files (x86)\windows kits\10\bin\[sdk version]\x64\uiaverify\*,A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -visualuiaverifynative.exe,c:\program files (x86)\windows kits\10\bin\[sdk version]\uiaverify\*,A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. -ntdsutil.exe,c:\windows\system32\*,Command line utility used to export Active Directory. -sqltoolsps.exe,c:\program files (x86)\microsoft sql server\130\tools\binn\*,Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+. -dump64.exe,c:\program files (x86)\microsoft visual studio\installer\feedback\*,Memory dump tool that comes with Microsoft Visual Studio -wsl.exe,c:\windows\system32\*,Windows subsystem for Linux executable -csi.exe,c:\program files (x86)\microsoft visual studio\2017\community\msbuild\15.0\bin\roslyn\*,Command line interface included with Visual Studio. -csi.exe,c:\program files (x86)\microsoft web tools\packages\microsoft.net.compilers.x.y.z\tools\*,Command line interface included with Visual Studio. -mftrace.exe,c:\program files (x86)\windows kits\10\bin\10.0.16299.0\*,Trace log generation tool for Media Foundation Tools. -mftrace.exe,c:\program files (x86)\windows kits\10\bin\*,Trace log generation tool for Media Foundation Tools. -adplus.exe,c:\program files (x86)\windows kits\10\debuggers\x64\*,Debugging tool included with Windows Debugging Tools -adplus.exe,c:\program files (x86)\windows kits\10\debuggers\x86\*,Debugging tool included with Windows Debugging Tools -excel.exe,c:\program files\microsoft office\root\office*\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\root\office*\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office\office16\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office\office15\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office\office14\*,Microsoft Office binary -excel.exe,c:\program files (x86)\microsoft office\office12\*,Microsoft Office binary -excel.exe,c:\program files\microsoft office\office12\*,Microsoft Office binary -dotnet.exe,c:\program files\dotnet\*,dotnet.exe comes with .NET Framework -sqlps.exe,c:\program files (x86)\microsoft sql server\*\tools\binn\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." -sqlps.exe,c:\program files\microsoft sql server\*\tools\binn\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." -acccheckconsole.exe,c:\program files (x86)\windows kits\10\bin\10.0.22000.0\x86\accchecker\*,Verifies UI accessibility requirements -acccheckconsole.exe,c:\program files (x86)\windows kits\10\bin\10.0.22000.0\x64\accchecker\*,Verifies UI accessibility requirements -acccheckconsole.exe,c:\program files (x86)\windows kits\10\bin\10.0.22000.0\arm\accchecker\*,Verifies UI accessibility requirements -acccheckconsole.exe,c:\program files (x86)\windows kits\10\bin\10.0.22000.0\arm64\accchecker\*,Verifies UI accessibility requirements -powerpnt.exe,c:\program files\microsoft office\root\office*\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\root\office*\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office\office16\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office\office15\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office\office14\*,Microsoft Office binary. -powerpnt.exe,c:\program files (x86)\microsoft office\office12\*,Microsoft Office binary. -powerpnt.exe,c:\program files\microsoft office\office12\*,Microsoft Office binary. -sqldumper.exe,c:\program files\microsoft sql server\*\shared\*,Debugging utility included with Microsoft SQL. -sqldumper.exe,c:\program files (x86)\microsoft office\root\vfs\programfilesx86\microsoft analysis\as oledb\140\*,Debugging utility included with Microsoft SQL. -remote.exe,c:\program files (x86)\windows kits\10\debuggers\x64\*,Debugging tool included with Windows Debugging Tools -remote.exe,c:\program files (x86)\windows kits\10\debuggers\x86\*,Debugging tool included with Windows Debugging Tools -appvlp.exe,c:\program files\microsoft office\root\client\*,Application Virtualization Utility Included with Microsoft Office 2016 -appvlp.exe,c:\program files (x86)\microsoft office\root\client\*,Application Virtualization Utility Included with Microsoft Office 2016 -agentexecutor.exe,c:\program files (x86)\*,Intune Management Extension included on Intune Managed Devices -dxcap.exe,c:\windows\system32\*,DirectX diagnostics/debugger included with Visual Studio. -dxcap.exe,c:\windows\syswow64\*,DirectX diagnostics/debugger included with Visual Studio. -cdb.exe,c:\program files (x86)\windows kits\10\debuggers\x64\*,Debugging tool included with Windows Debugging Tools. -cdb.exe,c:\program files (x86)\windows kits\10\debuggers\x86\*,Debugging tool included with Windows Debugging Tools. -defaultpack.exe,c:\program files (x86)\microsoft\defaultpack\*,This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider. -devtoolslauncher.exe,c:\windows\system32\*,Binary will execute specified binary. Part of VS/VScode installation. -vsiisexelauncher.exe,c:\program files (x86)\microsoft visual studio\2019\community\common7\ide\extensions\microsoft\web tools\projectsystem\*,Binary will execute specified binary. Part of VS/VScode installation. -winword.exe,c:\program files\microsoft office\root\office*\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\root\office*\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office\office16\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office\office15\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office\office14\*,Microsoft Office binary -winword.exe,c:\program files (x86)\microsoft office\office12\*,Microsoft Office binary -winword.exe,c:\program files\microsoft office\office12\*,Microsoft Office binary -fsianycpu.exe,c:\program files (x86)\microsoft visual studio\2019\professional\common7\ide\commonextensions\microsoft\fsharp\*,32/64-bit FSharp (F#) Interpreter included with Visual Studio. -vsjitdebugger.exe,c:\windows\system32\*,Just-In-Time (JIT) debugger included with Visual Studio -wfc.exe,c:\program files (x86)\microsoft sdks\windows\v10.0a\bin\netfx 4.8 tools\*,The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). -msdeploy.exe,c:\program files (x86)\iis\microsoft web deploy v3\*,Microsoft tool used to deploy Web Applications. -addinutil.exe,c:\windows\microsoft.net\framework\*\*,.NET Tool used for updating cache files for Microsoft Office Add-Ins. -addinutil.exe,c:\windows\microsoft.net\framework64\*\*,.NET Tool used for updating cache files for Microsoft Office Add-Ins. -appcert.exe,c:\program files (x86)\windows kits\10\app certification kit\*,Windows App Certification Kit command-line tool. -appcert.exe,c:\program files\windows kits\10\app certification kit\*,Windows App Certification Kit command-line tool. -bginfo.exe,*,Background Information Utility included with SysInternals Suite -code.exe,c:\users\*\appdata\local\programs\microsoft vs code\*,"VSCode binary, also portable (CLI) version" -code.exe,c:\program files\microsoft vs code\*,"VSCode binary, also portable (CLI) version" -code.exe,c:\program files (x86)\microsoft vs code\*,"VSCode binary, also portable (CLI) version" -colorcpl.exe,c:\windows\system32\*,Binary that handles color management -colorcpl.exe,c:\windows\syswow64\*,Binary that handles color management -createdump.exe,c:\program files\dotnet\shared\microsoft.netcore.app\*\*,Microsoft .NET Runtime Crash Dump Generator (included in .NET Core) -createdump.exe,c:\program files (x86)\dotnet\shared\microsoft.netcore.app\*\*,Microsoft .NET Runtime Crash Dump Generator (included in .NET Core) -createdump.exe,c:\program files\microsoft visual studio\*\community\dotnet\runtime\shared\microsoft.netcore.app\6.0.0\*,Microsoft .NET Runtime Crash Dump Generator (included in .NET Core) -createdump.exe,c:\program files (x86)\microsoft visual studio\*\community\dotnet\runtime\shared\microsoft.netcore.app\6.0.0\*,Microsoft .NET Runtime Crash Dump Generator (included in .NET Core) -customshellhost.exe,c:\windows\system32\*,A host process that is used by custom shells when using Windows in Kiosk mode. -devicecredentialdeployment.exe,c:\windows\system32\*,Device Credential Deployment -devinit.exe,c:\program files\microsoft visual studio\*\community\common7\tools\devinit\*,Visual Studio 2019 tool -devinit.exe,c:\program files (x86)\microsoft visual studio\*\community\common7\tools\devinit\*,Visual Studio 2019 tool -devtunnel.exe,c:\users\*\appdata\local\temp\.net\devtunnel\*,Binary to enable forwarded ports on windows operating systems. -devtunnel.exe,c:\users\*\appdata\local\temp\devtunnels\*,Binary to enable forwarded ports on windows operating systems. -dnx.exe,*,.Net Execution environment file included with .Net. -dsdbutil.exe,c:\windows\system32\*,Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory. -dsdbutil.exe,c:\windows\syswow64\*,Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory. -dumpminitool.exe,c:\program files\microsoft visual studio\2022\community\common7\ide\extensions\testplatform\extensions\*,Dump tool part Visual Studio 2022 -fsutil.exe,c:\windows\system32\*,File System Utility -fsutil.exe,c:\windows\syswow64\*,File System Utility -iediagcmd.exe,c:\program files\internet explorer\*,Diagnostics Utility for Internet Explorer -launch-vsdevshell.ps1,c:\program files (x86)\microsoft visual studio\2019\community\common7\tools\*,Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet -launch-vsdevshell.ps1,c:\program files\microsoft visual studio\2022\community\common7\tools\*,Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet -ldifde.exe,c:\windows\system32\*,"Creates, modifies, and deletes LDAP directory objects." -ldifde.exe,c:\windows\syswow64\*,"Creates, modifies, and deletes LDAP directory objects." -microsoft.nodejstools.pressanykey.exe,c:\program files\microsoft visual studio\*\community\common7\ide\extensions\microsoft\nodejstools\nodejstools\*,Part of the NodeJS Visual Studio tools. -microsoft.nodejstools.pressanykey.exe,c:\program files (x86)\microsoft visual studio\*\community\common7\ide\extensions\microsoft\nodejstools\nodejstools\*,Part of the NodeJS Visual Studio tools. -msaccess.exe,c:\program files\microsoft office\root\office*\*,Microsoft Office component -msaccess.exe,c:\program files (x86)\microsoft office\root\office*\*,Microsoft Office component -msaccess.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office component -msaccess.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office component -msaccess.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office component -msaccess.exe,c:\program files\microsoft office\office16\*,Microsoft Office component -msaccess.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office component -msaccess.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office component -msaccess.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office component -msaccess.exe,c:\program files\microsoft office\office15\*,Microsoft Office component -msaccess.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Office component -msaccess.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Office component -msaccess.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Office component -msaccess.exe,c:\program files\microsoft office\office14\*,Microsoft Office component -msaccess.exe,c:\program files (x86)\microsoft office\office12\*,Microsoft Office component -msaccess.exe,c:\program files\microsoft office\office12\*,Microsoft Office component -msedge.exe,c:\users\*\appdata\local\microsoft\edge\*,Microsoft Edge browser -msedge.exe,c:\program files\microsoft\edge\application\*,Microsoft Edge browser -msedge.exe,c:\program files (x86)\microsoft\edge\application\*,Microsoft Edge browser -msedgewebview2.exe,c:\program files (x86)\microsoft\edge\application\*,"msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content." -msedge_proxy.exe,c:\\program files (x86)\microsoft\edge\application\*,Microsoft Edge Browser -msohtmed.exe,c:\program files\microsoft office\root\office*\*,Microsoft Office component -msohtmed.exe,c:\program files (x86)\microsoft office\root\office*\*,Microsoft Office component -msohtmed.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office component -msohtmed.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office component -msohtmed.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office component -msohtmed.exe,c:\program files\microsoft office\office16\*,Microsoft Office component -msohtmed.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office component -msohtmed.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office component -msohtmed.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office component -msohtmed.exe,c:\program files\microsoft office\office15\*,Microsoft Office component -msohtmed.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Office component -msohtmed.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Office component -msohtmed.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Office component -msohtmed.exe,c:\program files\microsoft office\office14\*,Microsoft Office component -msohtmed.exe,c:\program files (x86)\microsoft office\office12\*,Microsoft Office component -msohtmed.exe,c:\program files\microsoft office\office12\*,Microsoft Office component -mspub.exe,c:\program files\microsoft office\root\office*\*,Microsoft Publisher -mspub.exe,c:\program files (x86)\microsoft office\root\office*\*,Microsoft Publisher -mspub.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Publisher -mspub.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Publisher -mspub.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Publisher -mspub.exe,c:\program files\microsoft office\office16\*,Microsoft Publisher -mspub.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Publisher -mspub.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Publisher -mspub.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Publisher -mspub.exe,c:\program files\microsoft office\office15\*,Microsoft Publisher -mspub.exe,c:\program files (x86)\microsoft office 14\clientx86\root\office14\*,Microsoft Publisher -mspub.exe,c:\program files\microsoft office 14\clientx64\root\office14\*,Microsoft Publisher -mspub.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Publisher -mspub.exe,c:\program files\microsoft office\office14\*,Microsoft Publisher -msxsl.exe,*,Command line utility used to perform XSL transformations. -onedrivestandaloneupdater.exe,c:\users\*\appdata\local\microsoft\onedrive\*,OneDrive Standalone Updater -openconsole.exe,c:\program files (x86)\microsoft visual studio\2019\community\common7\ide\commonextensions\microsoft\terminal\servicehub\os64\*,Console Window host for Windows Terminal -openconsole.exe,c:\program files (x86)\microsoft visual studio\2019\community\common7\ide\commonextensions\microsoft\terminal\servicehub\os86\*,Console Window host for Windows Terminal -openconsole.exe,c:\program files\microsoft visual studio\2022\community\common7\ide\commonextensions\microsoft\terminal\servicehub\os64\*,Console Window host for Windows Terminal -procdump.exe,*,SysInternals Memory Dump Tool -protocolhandler.exe,c:\program files\microsoft office\root\office*\*,Microsoft Office binary -protocolhandler.exe,c:\program files (x86)\microsoft office\root\office*\*,Microsoft Office binary -protocolhandler.exe,c:\program files (x86)\microsoft office 16\clientx86\root\office16\*,Microsoft Office binary -protocolhandler.exe,c:\program files\microsoft office 16\clientx64\root\office16\*,Microsoft Office binary -protocolhandler.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Office binary -protocolhandler.exe,c:\program files\microsoft office\office16\*,Microsoft Office binary -protocolhandler.exe,c:\program files (x86)\microsoft office 15\clientx86\root\office15\*,Microsoft Office binary -protocolhandler.exe,c:\program files\microsoft office 15\clientx64\root\office15\*,Microsoft Office binary -protocolhandler.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Office binary -protocolhandler.exe,c:\program files\microsoft office\office15\*,Microsoft Office binary -provlaunch.exe,c:\windows\system32\*,Launcher process -rcsi.exe,*,Non-Interactive command line inerface included with Visual Studio. -runexehelper.exe,c:\windows\system32\*,Launcher process -scrobj.dll,c:\windows\system32\*,Windows Script Component Runtime -scrobj.dll,c:\windows\syswow64\*,Windows Script Component Runtime -setres.exe,c:\windows\system32\*,Configures display settings -shimgvw.dll,c:\windows\system32\*,Photo Gallery Viewer -shimgvw.dll,c:\windows\syswow64\*,Photo Gallery Viewer -squirrel.exe,c:\users\*\appdata\local\microsoft\teams\current\*,Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. -squirrel.exe,c:\users\*\appdata\local\microsoft\teams\stage\*,Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. -squirrel.exe,c:\programdata\*\microsoft\teams\current\*,Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. -ssh.exe,c:\windows\system32\openssh\*,Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices. -tar.exe,c:\windows\system32\*,Used by Windows to extract and create archives. -tar.exe,c:\windows\syswow64\*,Used by Windows to extract and create archives. -te.exe,*,Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF). -teams.exe,c:\users\*\appdata\local\microsoft\teams\current\*,Electron runtime binary which runs the Teams application -teams.exe,c:\users\*\appdata\local\microsoft\teams\stage\*,Electron runtime binary which runs the Teams application -teams.exe,c:\programdata\*\microsoft\teams\current\*,Electron runtime binary which runs the Teams application -testwindowremoteagent.exe,c:\program files\microsoft visual studio\2022\community\common7\ide\commonextensions\microsoft\testwindow\remoteagent\*,TestWindowRemoteAgent.exe is the command-line tool to establish RPC -tracker.exe,*,Tool included with Microsoft .Net Framework. -unregmp2.exe,c:\windows\system32\*,Microsoft Windows Media Player Setup Utility -unregmp2.exe,c:\windows\syswow64\*,Microsoft Windows Media Player Setup Utility -update.exe,c:\users\*\appdata\local\microsoft\teams\*,Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. -update.exe,c:\users\*\appdata\local\squirreltemp\*,Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. -update.exe,c:\programdata\*\microsoft\teams\*,Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. -vsdiagnostics.exe,c:\program files\microsoft visual studio\2022\community\team tools\diagnosticshub\collector\*,Command-line tool used for performing diagnostics. -vshadow.exe,c:\program files (x86)\windows kits\10\bin\10.0.xxxxx.0\x64\*,VShadow is a command-line tool that can be used to create and manage volume shadow copies. -vsls-agent.exe,c:\program files (x86)\microsoft visual studio\2019\professional\common7\ide\extensions\microsoft\liveshare\agent\*,Agent for Visual Studio Live Share (Code Collaboration) -vstest.console.exe,c:\program files\microsoft visual studio\2022\community\common7\ide\commonextensions\microsoft\testwindow\*,VSTest.Console.exe is the command-line tool to run tests -vstest.console.exe,c:\program files (x86)\microsoft visual studio\2022\testagent\common7\ide\commonextensions\microsoft\testwindow\*,VSTest.Console.exe is the command-line tool to run tests -wbadmin.exe,c:\windows\system32\*,Windows Backup Administration utility -winget.exe,c:\users\*\appdata\local\microsoft\windowsapps\*,Windows Package Manager tool -winproj.exe,c:\program files\microsoft office\root\office*\*,Microsoft Project Executable -winproj.exe,c:\program files (x86)\microsoft office\root\office*\*,Microsoft Project Executable -winproj.exe,c:\program files (x86)\microsoft office\office14\*,Microsoft Project Executable -winproj.exe,c:\program files\microsoft office\office14\*,Microsoft Project Executable -winproj.exe,c:\program files (x86)\microsoft office\office15\*,Microsoft Project Executable -winproj.exe,c:\program files\microsoft office\office15\*,Microsoft Project Executable -winproj.exe,c:\program files (x86)\microsoft office\office16\*,Microsoft Project Executable -winproj.exe,c:\program files\microsoft office\office16\*,Microsoft Project Executable -winproj.exe,c:\program files (x86)\microsoft office\root\office14\*,Microsoft Project Executable -winproj.exe,c:\program files\microsoft office\root\office14\*,Microsoft Project Executable -winproj.exe,c:\program files (x86)\microsoft office\root\office15\*,Microsoft Project Executable -winproj.exe,c:\program files\microsoft office\root\office15\*,Microsoft Project Executable -winproj.exe,c:\program files (x86)\microsoft office\root\office16\*,Microsoft Project Executable -winproj.exe,c:\program files\microsoft office\root\office16\*,Microsoft Project Executable -wt.exe,c:\program files\windowsapps\microsoft.windowsterminal_*,Windows Terminal +acccheckconsole.exe,C:\Program Files (x86)\Windows Kits\*,Verifies UI accessibility requirements +addinutil.exe,C:\Windows\Microsoft.NET\Framework\*,.NET Tool used for updating cache files for Microsoft Office Add-Ins. +adplus.exe,C:\Program Files (x86)\Windows Kits\*,Debugging tool included with Windows Debugging Tools +agentexecutor.exe,C:\Program Files (x86)\Microsoft Intune Management Extension\*,Intune Management Extension included on Intune Managed Devices +appcert.exe,C:\Program Files (x86)\Windows Kits\*,Windows App Certification Kit command-line tool. +appcert.exe,C:\Program Files\Windows Kits\*,Windows App Certification Kit command-line tool. +appinstaller.exe,C:\Program Files\WindowsApps\microsoft.desktopappinstaller*,Tool used for installation of AppX/MSIX applications on Windows 10 +appvlp.exe,C:\Program Files (x86)\Microsoft Office*,Application Virtualization Utility Included with Microsoft Office 2016 +appvlp.exe,C:\Program Files\Microsoft Office*,Application Virtualization Utility Included with Microsoft Office 2016 +aspnet_compiler.exe,C:\Windows\Microsoft.NET\Framework\*,ASP.NET Compilation Tool +aspnet_compiler.exe,C:\Windows\Microsoft.NET\Framework64\*,ASP.NET Compilation Tool +at.exe,C:\Windows\System32\*,Schedule periodic tasks +at.exe,C:\Windows\SysWOW64\*,Schedule periodic tasks +atbroker.exe,C:\Windows\System32\*,Helper binary for Assistive Technology (AT) +atbroker.exe,C:\Windows\SysWOW64\*,Helper binary for Assistive Technology (AT) +bitsadmin.exe,C:\Windows\System32\*,Used for managing background intelligent transfer +bitsadmin.exe,C:\Windows\SysWOW64\*,Used for managing background intelligent transfer +cdb.exe,C:\Program Files (x86)\Windows Kits\*,Debugging tool included with Windows Debugging Tools. +certoc.exe,C:\Windows\System32\*,Used for installing certificates +certoc.exe,C:\Windows\SysWOW64\*,Used for installing certificates +certreq.exe,C:\Windows\System32\*,Used for requesting and managing certificates +certreq.exe,C:\Windows\SysWOW64\*,Used for requesting and managing certificates +certutil.exe,C:\Windows\System32\*,Windows binary used for handling certificates +certutil.exe,C:\Windows\SysWOW64\*,Windows binary used for handling certificates +cmd.exe,C:\Windows\System32\*,The command-line interpreter in Windows +cmd.exe,C:\Windows\SysWOW64\*,The command-line interpreter in Windows +cmdkey.exe,C:\Windows\System32\*,"creates, lists, and deletes stored user names and passwords or credentials." +cmdkey.exe,C:\Windows\SysWOW64\*,"creates, lists, and deletes stored user names and passwords or credentials." +cmdl32.exe,C:\Windows\System32\*,Microsoft Connection Manager Auto-Download +cmdl32.exe,C:\Windows\SysWOW64\*,Microsoft Connection Manager Auto-Download +cmstp.exe,C:\Windows\System32\*,Installs or removes a Connection Manager service profile. +cmstp.exe,C:\Windows\SysWOW64\*,Installs or removes a Connection Manager service profile. +colorcpl.exe,C:\Windows\System32\*,Binary that handles color management +colorcpl.exe,C:\Windows\SysWOW64\*,Binary that handles color management +conhost.exe,C:\Windows\System32\*,Console Window host +control.exe,C:\Windows\SysWOW64\*,Console Window host +csc.exe,C:\Program Files\Microsoft Visual Studio\*,Binary file used by .NET to compile C# code +csc.exe,C:\Windows\Microsoft.NET\Framework\*,Binary file used by .NET to compile C# code +csc.exe,C:\Windows\Microsoft.NET\Framework64\*,Binary file used by .NET to compile C# code +cscript.exe,C:\Windows\System32\*,Binary used to execute scripts in Windows +cscript.exe,C:\Windows\SysWOW64\*,Binary used to execute scripts in Windows +csi.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,Command line interface included with Visual Studio. +csi.exe,C:\Program Files (x86)\Microsoft Web Tools\*,Command line interface included with Visual Studio. +customshellhost.exe,C:\Windows\System32\*,A host process that is used by custom shells when using Windows in Kiosk mode. +datasvcutil.exe,C:\Windows\Microsoft.NET\Framework\*,DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. +datasvcutil.exe,C:\Windows\Microsoft.NET\Framework64\*,DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. +desktopimgdownldr.exe,C:\Windows\System32\*,Windows binary used to configure lockscreen/desktop image +devicecredentialdeployment.exe,C:\Windows\System32\*,Device Credential Deployment +devinit.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,Visual Studio 2019 tool +devinit.exe,C:\Program Files\Microsoft Visual Studio\*,Visual Studio 2019 tool +devtoolslauncher.exe,C:\Windows\System32\*,Binary will execute specified binary. Part of VS/VScode installation. +dfsvc.exe,C:\Windows\Microsoft.NET\Framework\*,ClickOnce engine in Windows used by .NET +dfsvc.exe,C:\Windows\Microsoft.NET\Framework64\*,ClickOnce engine in Windows used by .NET +diantz.exe,C:\Windows\System32\*,Binary that package existing files into a cabinet (.cab) file +diantz.exe,C:\Windows\SysWOW64\*,Binary that package existing files into a cabinet (.cab) file +diskshadow.exe,C:\Windows\System32\*,Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). +diskshadow.exe,C:\Windows\SysWOW64\*,Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). +dnscmd.exe,C:\Windows\System32\*,A command-line interface for managing DNS servers +dnscmd.exe,C:\Windows\SysWOW64\*,A command-line interface for managing DNS servers +dotnet.exe,C:\Program Files (x86)\dotnet\*,dotnet.exe comes with .NET Framework +dotnet.exe,C:\Program Files\dotnet\*,dotnet.exe comes with .NET Framework +dotnet.exe,C:\Program Files\Microsoft Visual Studio\*,dotnet.exe comes with .NET Framework +dsdbutil.exe,C:\Windows\System32\*,Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory. +dsdbutil.exe,C:\Windows\SysWOW64\*,Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory. +dumpminitool.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,Dump tool part Visual Studio 2022 +dumpminitool.exe,C:\Program Files\dotnet\*,Dump tool part Visual Studio 2022 +dumpminitool.exe,C:\Program Files\Microsoft Visual Studio\*,Dump tool part Visual Studio 2022 +dxcap.exe,C:\Windows\System32\*,DirectX diagnostics/debugger included with Visual Studio. +dxcap.exe,C:\Windows\SysWOW64\*,DirectX diagnostics/debugger included with Visual Studio. +esentutl.exe,C:\Windows\System32\*,Binary for working with Microsoft Joint Engine Technology (JET) database +esentutl.exe,C:\Windows\SysWOW64\*,Binary for working with Microsoft Joint Engine Technology (JET) database +eventvwr.exe,C:\Windows\System32\*,Displays Windows Event Logs in a GUI window. +eventvwr.exe,C:\Windows\SysWOW64\*,Displays Windows Event Logs in a GUI window. +excel.exe,C:\Program Files (x86)\Microsoft Office*,Microsoft Office binary +excel.exe,C:\Program Files\Microsoft Office*,Microsoft Office binary +expand.exe,C:\Windows\System32\*,Binary that expands one or more compressed files +expand.exe,C:\Windows\SysWOW64\*,Binary that expands one or more compressed files +explorer.exe,C:\windows\*,Binary used for managing files and system components within Windows +explorer.exe,C:\Windows\SysWOW64\*,Binary used for managing files and system components within Windows +extexport.exe,C:\Program Files (x86)\Internet Explorer\*,Load a DLL located in the C:\test folder with a specific name. +extexport.exe,C:\Program Files\Internet Explorer\*,Load a DLL located in the C:\test folder with a specific name. +extrac32.exe,C:\Windows\System32\*,"Extract to ADS, copy or overwrite a file with Extrac32.exe" +extrac32.exe,C:\Windows\SysWOW64\*,"Extract to ADS, copy or overwrite a file with Extrac32.exe" +findstr.exe,C:\Windows\System32\*,"Write to ADS, discover, or download files with Findstr.exe" +findstr.exe,C:\Windows\SysWOW64\*,"Write to ADS, discover, or download files with Findstr.exe" +finger.exe,C:\Windows\System32\*,Displays information about a user or users on a specified remote computer that is running the Finger service or daemon +finger.exe,C:\Windows\SysWOW64\*,Displays information about a user or users on a specified remote computer that is running the Finger service or daemon +fltmc.exe,C:\Windows\System32\*,Filter Manager Control Program used by Windows +forfiles.exe,C:\Windows\System32\*,Selects and executes a command on a file or set of files. This command is useful for batch processing. +forfiles.exe,C:\Windows\SysWOW64\*,Selects and executes a command on a file or set of files. This command is useful for batch processing. +fsi.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +fsi.exe,C:\Program Files\dotnet\*,64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +fsi.exe,C:\Program Files\Microsoft Visual Studio\*,64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK. +fsianycpu.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,32/64-bit FSharp (F#) Interpreter included with Visual Studio. +fsutil.exe,C:\Windows\System32\*,File System Utility +fsutil.exe,C:\Windows\SysWOW64\*,File System Utility +ftp.exe,C:\Windows\System32\*,A binary designed for connecting to FTP servers +ftp.exe,C:\Windows\SysWOW64\*,A binary designed for connecting to FTP servers +gfxdownloadwrapper.exe,C:\Windows\System32\DriverStore\FileRepository\*,"Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path." +gpscript.exe,C:\Windows\System32\*,Used by group policy to process scripts +gpscript.exe,C:\Windows\SysWOW64\*,Used by group policy to process scripts +hh.exe,C:\windows\*,Binary used for processing chm files in Windows +hh.exe,C:\Windows\SysWOW64\*,Binary used for processing chm files in Windows +ie4uinit.exe,C:\Windows\System32\*,Executes commands from a specially prepared ie4uinit.inf file. +ie4uinit.exe,C:\Windows\SysWOW64\*,Executes commands from a specially prepared ie4uinit.inf file. +iediagcmd.exe,C:\Program Files\internet explorer\*,Diagnostics Utility for Internet Explorer +ieexec.exe,C:\windows\Microsoft.NET\Framework\*,The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. +ieexec.exe,C:\windows\Microsoft.NET\Framework64\*,The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL. +ilasm.exe,C:\windows\Microsoft.NET\Framework\*,used for compile c# code into dll or exe. +ilasm.exe,C:\windows\Microsoft.NET\Framework64\*,used for compile c# code into dll or exe. +imewdbld.exe,C:\Windows\System32\ime\shared\*,Microsoft IME Open Extended Dictionary Module +infdefaultinstall.exe,C:\Windows\System32\*,Binary used to perform installation based on content inside inf files +infdefaultinstall.exe,C:\Windows\SysWOW64\*,Binary used to perform installation based on content inside inf files +installutil.exe,C:\windows\Microsoft.NET\Framework\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies +installutil.exe,C:\windows\Microsoft.NET\Framework64\*,The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies +jsc.exe,C:\windows\Microsoft.NET\Framework\*,Binary file used by .NET to compile javascript code to .exe or .dll format +jsc.exe,C:\windows\Microsoft.NET\Framework64\*,Binary file used by .NET to compile javascript code to .exe or .dll format +ldifde.exe,C:\Windows\System32\*,"Creates, modifies, and deletes LDAP directory objects." +ldifde.exe,C:\Windows\SysWOW64\*,"Creates, modifies, and deletes LDAP directory objects." +makecab.exe,C:\Windows\System32\*,Binary to package existing files into a cabinet (.cab) file +makecab.exe,C:\Windows\SysWOW64\*,Binary to package existing files into a cabinet (.cab) file +manage-bde.wsf,C:\Windows\System32\*,Script for managing BitLocker +mavinject.exe,C:\Windows\System32\*,Used by App-v in Windows +mavinject.exe,C:\Windows\SysWOW64\*,Used by App-v in Windows +mftrace.exe,C:\Program Files (x86)\windows kits\*,Trace log generation tool for Media Foundation Tools. +microsoft.nodejstools.pressanykey.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,Part of the NodeJS Visual Studio tools. +microsoft.nodejstools.pressanykey.exe,C:\Program Files\Microsoft Visual Studio\*,Part of the NodeJS Visual Studio tools. +microsoft.workflow.compiler.exe,C:\windows\Microsoft.NET\Framework64\*,A utility included with .NET that is capable of compiling and executing C# or VB.net code. +mmc.exe,C:\Windows\System32\*,Load snap-ins to locally and remotely manage Windows systems +mmc.exe,C:\Windows\SysWOW64\*,Load snap-ins to locally and remotely manage Windows systems +msaccess.exe,C:\Program Files (x86)\Microsoft Office*,Microsoft Office binary +msaccess.exe,C:\Program Files\Microsoft Office*,Microsoft Office binary +msbuild.exe,C:\Program Files (x86)\msbuild\14.0\bin\*,Used to compile and execute code +msbuild.exe,C:\windows\Microsoft.NET\Framework\*,Used to compile and execute code +msbuild.exe,C:\windows\Microsoft.NET\Framework64\*,Used to compile and execute code +msconfig.exe,C:\Windows\System32\*,"MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows" +msdeploy.exe,C:\Program Files (x86)\iis\microsoft web deploy v3\*,Microsoft tool used to deploy Web Applications. +msdt.exe,C:\Windows\System32\*,Microsoft diagnostics tool +msdt.exe,C:\Windows\SysWOW64\*,Microsoft diagnostics tool +mshta.exe,C:\Windows\System32\*,Used by Windows to execute html applications. (.hta) +mshta.exe,C:\Windows\SysWOW64\*,Used by Windows to execute html applications. (.hta) +msiexec.exe,C:\Windows\System32\*,Used by Windows to execute msi files +msiexec.exe,C:\Windows\SysWOW64\*,Used by Windows to execute msi files +msohtmed.exe,C:\Program Files (x86)\Microsoft Office*,Microsoft Office binary +msohtmed.exe,C:\Program Files\Microsoft Office*,Microsoft Office binary +mspub.exe,C:\Program Files (x86)\Microsoft Office*,Microsoft Office binary +mspub.exe,C:\Program Files\Microsoft Office*,Microsoft Office binary +netsh.exe,C:\Windows\System32\*,Netsh is a Windows tool used to manipulate network interface settings. +netsh.exe,C:\Windows\SysWOW64\*,Netsh is a Windows tool used to manipulate network interface settings. +ntdsutil.exe,C:\Windows\System32\*,Command line utility used to export Active Directory. +odbcconf.exe,C:\Windows\System32\*,Used in Windows for managing ODBC connections +odbcconf.exe,C:\Windows\SysWOW64\*,Used in Windows for managing ODBC connections +offlinescannershell.exe,C:\Program Files\windows defender\offline\*,Windows Defender Offline Shell +pcalua.exe,C:\Windows\System32\*,Program Compatibility Assistant +pcwrun.exe,C:\Windows\System32\*,Program Compatibility Wizard +pktmon.exe,C:\Windows\System32\*,Capture Network Packets on the windows 10 with October 2018 Update or later. +pktmon.exe,C:\Windows\SysWOW64\*,Capture Network Packets on the windows 10 with October 2018 Update or later. +pnputil.exe,C:\Windows\System32\*,Used for installing drivers +powerpnt.exe,C:\Program Files (x86)\Microsoft Office*,Microsoft Office binary +powerpnt.exe,C:\Program Files\Microsoft Office*,Microsoft Office binary +presentationhost.exe,C:\Windows\System32\*,File is used for executing Browser applications +presentationhost.exe,C:\Windows\SysWOW64\*,File is used for executing Browser applications +print.exe,C:\Windows\System32\*,Used by Windows to send files to the printer +print.exe,C:\Windows\SysWOW64\*,Used by Windows to send files to the printer +printbrm.exe,C:\Windows\System32\spool\tools\*,Printer Migration Command-Line Tool +protocolhandler.exe,C:\Program Files (x86)\Microsoft Office*,Microsoft Office binary +protocolhandler.exe,C:\Program Files\Microsoft Office*,Microsoft Office binary +provlaunch.exe,C:\Windows\System32\*,Launcher process +psr.exe,C:\Windows\System32\*,"Windows Problem Steps Recorder, used to record screen and clicks." +psr.exe,C:\Windows\SysWOW64\*,"Windows Problem Steps Recorder, used to record screen and clicks." +rasautou.exe,C:\Windows\System32\*,Windows Remote Access Dialer +rdrleakdiag.exe,C:\Windows\System32\*,Microsoft Windows resource leak diagnostic tool +rdrleakdiag.exe,C:\Windows\SysWOW64\*,Microsoft Windows resource leak diagnostic tool +reg.exe,C:\Windows\System32\*,Used to manipulate the registry +reg.exe,C:\Windows\SysWOW64\*,Used to manipulate the registry +regasm.exe,C:\windows\Microsoft.NET\Framework\v2.0.50727\*,Part of .NET +regasm.exe,C:\windows\Microsoft.NET\Framework\v4.0.30319\*,Part of .NET +regasm.exe,C:\windows\Microsoft.NET\Framework64\v2.0.50727\*,Part of .NET +regasm.exe,C:\windows\Microsoft.NET\Framework64\v4.0.30319\*,Part of .NET +regedit.exe,C:\windows\*,Used by Windows to manipulate registry +regedit.exe,C:\Windows\SysWOW64\*,Used by Windows to manipulate registry +regini.exe,C:\Windows\System32\*,Used to manipulate the registry +regini.exe,C:\Windows\SysWOW64\*,Used to manipulate the registry +register-cimprovider.exe,C:\Windows\System32\*,Used to register new wmi providers +register-cimprovider.exe,C:\Windows\SysWOW64\*,Used to register new wmi providers +regsvcs.exe,C:\Windows\Microsoft.NET\Framework\*,Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies +regsvcs.exe,C:\Windows\Microsoft.NET\Framework64\*,Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies +regsvr32.exe,C:\Windows\System32\*,Used by Windows to register dlls +regsvr32.exe,C:\Windows\SysWOW64\*,Used by Windows to register dlls +replace.exe,C:\Windows\System32\*,Used to replace file with another file +replace.exe,C:\Windows\SysWOW64\*,Used to replace file with another file +rpcping.exe,C:\Windows\System32\*,Used to verify rpc connection +rpcping.exe,C:\Windows\SysWOW64\*,Used to verify rpc connection +rundll32.exe,C:\Windows\System32\*,Used by Windows to execute dll files +rundll32.exe,C:\Windows\SysWOW64\*,Used by Windows to execute dll files +runexehelper.exe,C:\Windows\System32\*,Launcher process +runonce.exe,C:\Windows\System32\*,Executes a Run Once Task that has been configured in the registry +runonce.exe,C:\Windows\SysWOW64\*,Executes a Run Once Task that has been configured in the registry +sc.exe,C:\Windows\System32\*,Used by Windows to manage services +sc.exe,C:\Windows\SysWOW64\*,Used by Windows to manage services +schtasks.exe,C:\Windows\System32\*,Schedule periodic tasks +schtasks.exe,C:\Windows\SysWOW64\*,Schedule periodic tasks +scriptrunner.exe,C:\Windows\System32\*,Execute binary through proxy binary to evade defensive counter measures +scriptrunner.exe,C:\Windows\SysWOW64\*,Execute binary through proxy binary to evade defensive counter measures +setres.exe,C:\Windows\System32\*,Configures display settings +settingsynchost.exe,C:\Windows\System32\*,Host Process for Setting Synchronization +settingsynchost.exe,C:\Windows\SysWOW64\*,Host Process for Setting Synchronization +sqldumper.exe,C:\Program Files\microsoft office\root\vfs\*,Debugging utility included with Microsoft SQL. +sqldumper.exe,C:\Program Files\Microsoft SQL Server\*,Debugging utility included with Microsoft SQL. +sqlps.exe,C:\Program Files (x86)\Microsoft SQL Server\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." +sqlps.exe,C:\Program Files\Microsoft SQL Server\*,"Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons." +sqltoolsps.exe,C:\Program Files (x86)\Microsoft SQL Server\*,Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+. +stordiag.exe,C:\Windows\System32\*,Storage diagnostic tool +stordiag.exe,C:\Windows\SysWOW64\*,Storage diagnostic tool +syncappvpublishingserver.exe,C:\Windows\System32\*,Used by App-v to get App-v server lists +syncappvpublishingserver.exe,C:\Windows\SysWOW64\*,Used by App-v to get App-v server lists +tar.exe,C:\Windows\System32\*,Used by Windows to extract and create archives. +tar.exe,C:\Windows\SysWOW64\*,Used by Windows to extract and create archives. +testwindowremoteagent.exe,C:\Program Files\Microsoft Visual Studio\*,TestWindowRemoteAgent.exe is the command-line tool to establish RPC +ttdinject.exe,C:\Windows\System32\*,Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) +ttdinject.exe,C:\Windows\SysWOW64\*,Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe) +tttracer.exe,C:\Windows\System32\*,Used by Windows 1809 and newer to Debug Time Travel +tttracer.exe,C:\Windows\SysWOW64\*,Used by Windows 1809 and newer to Debug Time Travel +unregmp2.exe,C:\Windows\System32\*,Microsoft Windows Media Player Setup Utility +unregmp2.exe,C:\Windows\SysWOW64\*,Microsoft Windows Media Player Setup Utility +vbc.exe,C:\Windows\Microsoft.NET\Framework\*,Binary file used for compile vbs code +vbc.exe,C:\Windows\Microsoft.NET\Framework64\*,Binary file used for compile vbs code +verclsid.exe,C:\Windows\System32\*,Used to verify a COM object before it is instantiated by Windows Explorer +verclsid.exe,C:\Windows\SysWOW64\*,Used to verify a COM object before it is instantiated by Windows Explorer +visualuiaverifynative.exe,C:\Program Files (x86)\Windows Kits\*,A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls. +vsdiagnostics.exe,C:\Program Files\Microsoft Visual Studio\*,Command-line tool used for performing diagnostics. +vshadow.exe,C:\Program Files (x86)\Windows Kits\*,VShadow is a command-line tool that can be used to create and manage volume shadow copies. +vsiisexelauncher.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,Binary will execute specified binary. Part of VS/VScode installation. +vsjitdebugger.exe,C:\Windows\System32\*,Just-In-Time (JIT) debugger included with Visual Studio +vsjitdebugger.exe,C:\Windows\SysWOW64\*,Just-In-Time (JIT) debugger included with Visual Studio +vsls-agent.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,Agent for Visual Studio Live Share (Code Collaboration) +vstest.console.exe,C:\Program Files (x86)\Microsoft Visual Studio\*,VSTest.Console.exe is the command-line tool to run tests +vstest.console.exe,C:\Program Files\Microsoft Visual Studio\*,VSTest.Console.exe is the command-line tool to run tests +wab.exe,C:\Program Files (x86)\Windows Mail\*,Windows address book manager +wab.exe,C:\Program Files\Windows Mail\*,Windows address book manager +wbadmin.exe,C:\Windows\System32\*,Windows Backup Administration utility +wfc.exe,C:\Program Files (x86)\Microsoft SDKs\*,The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK). +winproj.exe,C:\Program Files (x86)\Microsoft Office*,Microsoft Project Executable +winproj.exe,C:\Program Files\Microsoft Office*,Microsoft Project Executable +winword.exe,C:\Program Files (x86)\Microsoft Office*,Microsoft Office binary +winword.exe,C:\Program Files\Microsoft Office*,Microsoft Office binary +wlrmdr.exe,C:\Windows\System32\*,Windows Logon Reminder executable +wmic.exe,C:\Windows\System32\wbem\*,The WMI command-line (WMIC) utility provides a command-line interface for WMI +wmic.exe,C:\Windows\SysWOW64\wbem\*,The WMI command-line (WMIC) utility provides a command-line interface for WMI +workfolders.exe,C:\Windows\System32\*,Work Folders +wscript.exe,C:\Windows\System32\*,Used by Windows to execute scripts +wscript.exe,C:\Windows\SysWOW64\*,Used by Windows to execute scripts +wsreset.exe,C:\Windows\System32\*,Used to reset Windows Store settings according to its manifest file +wt.exe,C:\Program Files\WindowsApps\microsoft.windowsterminal_*,Windows Terminal +wuauclt.exe,C:\Windows\System32\*,Windows Update Client +xwizard.exe,C:\Windows\System32\*,Execute custom class that has been added to the registry or download a file with Xwizard.exe +xwizard.exe,C:\Windows\SysWOW64\*,Execute custom class that has been added to the registry or download a file with Xwizard.exe diff --git a/lookups/lolbas_file_path.yml b/lookups/lolbas_file_path.yml index 73ecc09722..0ec64f8d99 100644 --- a/lookups/lolbas_file_path.yml +++ b/lookups/lolbas_file_path.yml @@ -1,10 +1,10 @@ name: lolbas_file_path -date: 2024-12-23 -version: 2 +date: 2025-12-18 +version: 3 id: b88d9c91-33c6-408a-8ef0-00806932f8c5 author: Splunk Threat Research Team lookup_type: csv -description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows, Updated for 2024 from lolbas project. +description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows systems. default_match: false match_type: - WILDCARD(lolbas_file_name) From 142cda385cab500684776f33e892cc69e7e117f3 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Sat, 20 Dec 2025 01:11:38 +0100 Subject: [PATCH 2/7] Update suspicious_email_attachment_extensions.yml --- ...suspicious_email_attachment_extensions.yml | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml index 022b86a32f..f2d3cd6611 100644 --- a/detections/application/suspicious_email_attachment_extensions.yml +++ b/detections/application/suspicious_email_attachment_extensions.yml @@ -16,16 +16,20 @@ description: The following analytic detects emails containing attachments with s data_source: [] search: | | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, - All_Email.file_name All_Email.message_id + as lastTime from datamodel=Email.All_Email where All_Email.file_name="*" + + by All_Email.src_user All_Email.file_name All_Email.file_size All_Email.message_id + All_Email.message_info All_Email.process All_Email.process_id All_Email.orig_dest + All_Email.orig_recipient + + | `drop_dm_object_name(All_Email)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `drop_dm_object_name("All_Email")` | lookup update=true is_suspicious_file_extension_lookup file_name OUTPUT suspicious | search suspicious=true | `suspicious_email_attachment_extensions_filter` -how_to_implement: "You need to ingest data from emails. Specifically, the sender's - address and the file names of any attachments must be mapped to the Email data model.\n +how_to_implement: | + You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. **Splunk Phantom Playbook Integration**\nIf Splunk Phantom is also configured in your environment, a Playbook called \"Suspicious Email Attachment Investigate and Delete\" can be configured to run when any results are found by this detection search. @@ -38,7 +42,7 @@ how_to_implement: "You need to ingest data from emails. Specifically, the sender known_false_positives: None identified references: [] rba: - message: Suspicious attachment from $src_user$ + message: Email attachment $file_name$ with suspicious extension from $src_user$ risk_objects: - field: user type: user @@ -46,15 +50,15 @@ rba: threat_objects: [] tags: analytic_story: - - Data Destruction - - Emotet Malware DHS Report TA18-201A - - Hermetic Wiper - - Suspicious Emails + - Data Destruction + - Emotet Malware DHS Report TA18-201A + - Hermetic Wiper + - Suspicious Emails asset_type: Endpoint mitre_attack_id: - - T1566.001 + - T1566.001 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: network From 6afe2d7b1b1a8f9b449d83854cf658db7e3a874f Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 22 Dec 2025 21:52:34 +0100 Subject: [PATCH 3/7] update susp extension lookup --- .../is_suspicious_file_extension_lookup.csv | 46 +++++-------------- .../is_suspicious_file_extension_lookup.yml | 2 +- 2 files changed, 13 insertions(+), 35 deletions(-) diff --git a/lookups/is_suspicious_file_extension_lookup.csv b/lookups/is_suspicious_file_extension_lookup.csv index 1284088431..3c7b42b9e4 100644 --- a/lookups/is_suspicious_file_extension_lookup.csv +++ b/lookups/is_suspicious_file_extension_lookup.csv @@ -1,52 +1,30 @@ file_name,suspicious -*.avi.com,true -*.avi.exe,true -*.doc.com,true -*.doc.exe,true -*.docx.com,true -*.docx.exe,true -*.jpg.com,true -*.jpg.exe,true -*.jpeg.com,true -*.jpeg.exe,true -*.mpg.com,true -*.mpg.exe,true -*.mpg2.com,true -*.mpg2.exe,true -*.mpeg.com,true -*.mpeg.exe,true -*.pdf.com,true -*.pdf.exe,true -*.png.com,true -*.png.exe,true -*.ppt.com,true -*.ppt.exe,true -*.pptx.com,true -*.pptx.exe,true -*.swf.com,true -*.swf.exe,true -*.xls.com,true -*.xls.exe,true -*.xlsx.com,true -*.xlsx.exe,true -*.zip.com,true -*.zip.exe,true +*.appinstaller,true *.bat,true +*.bin,true *.chm,true -*.com,true *.cmd,true +*.com,true *.cpl,true +*.deb,true *.exe,true *.hlp,true *.hta,true *.jar,true *.js,true +*.jse,true +*.msc,true *.msi,true *.pif,true *.ps1,true +*.psd1,true +*.psm1,true *.rar,true *.reg,true +*.rpm,true *.scr,true +*.sh,true +*.url,true *.vbe,true *.vbs,true -*.wsf,true +*.wsf,true \ No newline at end of file diff --git a/lookups/is_suspicious_file_extension_lookup.yml b/lookups/is_suspicious_file_extension_lookup.yml index 3b8372232c..081e048074 100644 --- a/lookups/is_suspicious_file_extension_lookup.yml +++ b/lookups/is_suspicious_file_extension_lookup.yml @@ -6,4 +6,4 @@ author: Splunk Threat Research Team lookup_type: csv description: A list of suspicious extensions for email attachments match_type: -- WILDCARD(file_name) \ No newline at end of file +- WILDCARD(file_name) From 9785c3006ff6274747c305ecfac834515fa98441 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Jan 2026 15:56:54 +0100 Subject: [PATCH 4/7] some additional fixes --- ...no_command_line_arguments_with_network.yml | 74 ++-- ...no_command_line_arguments_with_network.yml | 54 ++- ...host_with_no_command_line_with_network.yml | 57 ++- .../single_letter_process_on_endpoint.yml | 87 +++- ...rocesses_run_from_unexpected_locations.yml | 7 +- lookups/is_net_windows_file.csv | 44 +- .../is_suspicious_file_extension_lookup.yml | 4 +- lookups/is_windows_system_file.csv | 414 +++++++++--------- lookups/is_windows_system_file.yml | 6 +- 9 files changed, 421 insertions(+), 326 deletions(-) diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml index c52cb0ddf9..72a288fd12 100644 --- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml @@ -1,53 +1,61 @@ name: DLLHost with no Command Line Arguments with Network id: f1c07594-a141-11eb-8407-acde48001122 -version: 13 -date: '2025-06-30' +version: 14 +date: '2026-01-01' author: Steven Dick, Michael Haag, Splunk status: production type: TTP description: | The following analytic detects instances of DLLHost.exe running without command line arguments while establishing a network connection. - This behavior is identified using Endpoint Detection and Response (EDR) telemetry, - focusing on process execution and network activity data. - It is significant because DLLHost.exe typically runs with specific arguments, - and its absence can indicate malicious activity, such as Cobalt Strike usage. - If confirmed malicious, this activity could allow attackers to execute code, + This behavior is identified using Endpoint Detection and Response (EDR) telemetry, + focusing on process execution and network activity data. + It is significant because DLLHost.exe typically runs with specific arguments, + and its absence can indicate malicious activity, such as Cobalt Strike usage. + If confirmed malicious, this activity could allow attackers to execute code, move laterally, or exfiltrate data, posing a severe threat to the network's security. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 search: | | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes where - Processes.process_name=dllhost.exe - Processes.action!="blocked" - by host _time span=1h - Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid Processes.process_hash - Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path - Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` + as lastTime FROM datamodel=Endpoint.Processes where + ( + Processes.process_name=dllhost.exe + OR + Processes.original_file_name=dllhost.exe + ) + Processes.process IN ( + "*dllhost", + "*dllhost.exe", + "*dllhost.exe\"" + ) + by host _time span=1h + Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid Processes.process_hash + Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path + Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | regex process="(?i)(dllhost\.exe.{0,4}$)" - | rename dest as src - | join host process_id [ + | `security_content_ctime(lastTime)` + | rename dest as src + | join host process_id + [ | tstats `security_content_summariesonly` - count - latest(All_Traffic.dest) as dest - latest(All_Traffic.dest_ip) as dest_ip - latest(All_Traffic.dest_port) as dest_port - FROM datamodel=Network_Traffic.All_Traffic where - All_Traffic.dest_port != 0 - by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in - All_Traffic.bytes_out All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port - All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src - All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user + count + latest(All_Traffic.dest) as dest + latest(All_Traffic.dest_ip) as dest_ip + latest(All_Traffic.dest_port) as dest_port + FROM datamodel=Network_Traffic.All_Traffic where + All_Traffic.dest_port != 0 + by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in + All_Traffic.bytes_out All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port + All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src + All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction All_Traffic.process_id | `drop_dm_object_name(All_Traffic)` - ] + ] | `dllhost_with_no_command_line_arguments_with_network_filter` how_to_implement: | The detection is based on data that originates from Endpoint Detection diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index ddd46635be..b14e881432 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -1,8 +1,8 @@ name: Rundll32 with no Command Line Arguments with Network id: 35307032-a12d-11eb-835f-acde48001122 -version: 12 -date: '2025-05-02' -author: Steven Dick, Michael Haag, Splunk +version: 13 +date: '2026-01-01' +author: Steven Dick, Michael Haag, Splunk status: production type: TTP description: The following analytic detects the execution of rundll32.exe without @@ -15,24 +15,38 @@ description: The following analytic detects the execution of rundll32.exe withou of the system. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!="blocked" +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where + `process_rundll32` + Processes.process IN ( + "*rundll32", + "*rundll32.exe", + "*rundll32.exe\"" + ) by host _time span=1h Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid Processes.process_hash - Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path - Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | regex process="(?i)(rundll32\.exe.{0,4}$)" | rename dest as src | join host process_id - [| tstats `security_content_summariesonly` count - FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by host - All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out - All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol - All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port - All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction - All_Traffic.process_id | `drop_dm_object_name(All_Traffic)`] - | `rundll32_with_no_command_line_arguments_with_network_filter`' + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid Processes.process_hash + Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path + Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | rename dest as src + | join host process_id + [ + | tstats `security_content_summariesonly` count + FROM datamodel=Network_Traffic.All_Traffic where + All_Traffic.dest_port != 0 + by host All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out + All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol + All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port + All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction + All_Traffic.process_id + | `drop_dm_object_name(All_Traffic)` + ] + | `rundll32_with_no_command_line_arguments_with_network_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index 6e45e9b73b..73806b79c2 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -1,7 +1,7 @@ name: SearchProtocolHost with no Command Line with Network id: b690df8c-a145-11eb-a38b-acde48001122 -version: 11 -date: '2025-10-14' +version: 12 +date: '2026-01-01' author: Michael Haag, Splunk status: production type: TTP @@ -15,23 +15,42 @@ description: The following analytic detects instances of searchprotocolhost.exe and control, potentially leading to data exfiltration or further system compromise. data_source: - Sysmon EventID 1 AND Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes - where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid Processes.process_hash - Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path - Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | regex process="(?i)(searchprotocolhost\.exe.{0,4}$)" | join process_id [| tstats - `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic - where All_Traffic.dest_port != 0 by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out - All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol - All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port - All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction - All_Traffic.process_id - | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name - process_name process_path process process_id dest_port C2 | `searchprotocolhost_with_no_command_line_with_network_filter`' +search: | + | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where + ( + Processes.process_name=searchprotocolhost.exe + OR + Processes.original_file_name=searchprotocolhost.exe + ) + Processes.process IN ( + "*searchprotocolhost", + "*searchprotocolhost.exe", + "*searchprotocolhost.exe\"" + ) + by _time span=1h Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid Processes.process_hash + Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path + Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | join process_id + [ + | tstats `security_content_summariesonly` count + FROM datamodel=Network_Traffic.All_Traffic where + All_Traffic.dest_port != 0 + by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out + All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol + All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port + All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction + All_Traffic.process_id + | `drop_dm_object_name(All_Traffic)` + | rename dest as C2 + ] + | table _time dest parent_process_name process_name process_path process process_id dest_port C2 + | `searchprotocolhost_with_no_command_line_with_network_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index a7897511ee..d342f2a02c 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -1,7 +1,7 @@ name: Single Letter Process On Endpoint id: a4214f0b-e01c-41bc-8cc4-d2b71e3056b4 -version: 10 -date: '2025-05-02' +version: 11 +date: '2025-12-29' author: David Dorsey, Splunk status: production type: TTP @@ -18,16 +18,79 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes by Processes.action Processes.dest - Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` - | eval process_name_length = len(process_name), endExe = if(substr(process_name, - -4) == ".exe", 1, 0) | search process_name_length=5 AND endExe=1 | `single_letter_process_on_endpoint_filter`' +search: | + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + from datamodel=Endpoint.Processes where + Processes.process_name IN ( + "_.exe", + "-.exe", + ",.exe", + ";.exe", + "!.exe", + "'.exe" + "(.exe", + "(.exe", + ").exe", + ").exe", + "@.exe", + "&.exe", + "#.exe", + "%.exe", + "`.exe", + "^.exe", + "+.exe", + "=.exe", + "~.exe", + "$.exe", + "0.exe", + "1.exe", + "2.exe", + "3.exe", + "4.exe", + "5.exe", + "6.exe", + "7.exe", + "8.exe", + "9.exe", + "a.exe", + "b.exe", + "c.exe", + "d.exe", + "e.exe", + "f.exe", + "g.exe", + "h.exe", + "i.exe", + "j.exe", + "k.exe", + "l.exe", + "m.exe", + "N.exe", + "o.exe", + "p.exe", + "q.exe", + "r.exe", + "s.exe", + "t.exe", + "u.exe", + "v.exe", + "w.exe", + "x.exe", + "y.exe", + "z.exe", + ) + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process + Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id + Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(lastTime)` + | `security_content_ctime(firstTime)` + | `single_letter_process_on_endpoint_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index d1b56cdd7b..d33af8940e 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -1,7 +1,7 @@ name: System Processes Run From Unexpected Locations id: a34aae96-ccf8-4aef-952c-3ea21444444d -version: 13 -date: '2025-12-13' +version: 14 +date: '2025-12-31' author: David Dorsey, Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -23,12 +23,13 @@ search: | NOT Processes.process_path IN ( "*:\\$WINDOWS.~BT\\*", "*:\\$WinREAgent\\*", + "*:\\Program Files \(x86\)\\Windows Kits\\10\\App Certification Kit\\*", "*:\\Windows\\SoftwareDistribution\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\SystemTemp\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\uus\\*", - "*:\\Windows\\WinSxS\\*", + "*:\\Windows\\WinSxS\\*" ) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id diff --git a/lookups/is_net_windows_file.csv b/lookups/is_net_windows_file.csv index 4c21dbd007..f81aff89df 100644 --- a/lookups/is_net_windows_file.csv +++ b/lookups/is_net_windows_file.csv @@ -1,35 +1,41 @@ filename,originalFileName,netFile -MSBuild.exe,MSBuild.exe,True -ComSvcConfig.exe,ComSvcConfig.exe,True -DfsrAdmin.exe,DfsrAdmin.exe,True -dfsvc.exe,dfsvc.exe,True -Microsoft.Workflow.Compiler.exe,Microsoft.Workflow.Compiler.exe,True -SMSvcHost.exe,SMSvcHost.exe,True -WsatConfig.exe,WsatConfig.exe,True +acu.exe,acu.exe,True AddInProcess.exe,AddInProcess.exe,True AddInProcess32.exe,AddInProcess32.exe,True AddInUtil.exe,AddInUtil.exe,True +AppVStreamingUX.exe,,True aspnet_compiler.exe,aspnet_compiler.exe,True aspnet_regbrowsers.exe,aspnet_regbrowsers.exe,True +aspnet_regiis.exe,aspnet_regiis.exe,True aspnet_regsql.exe,aspnet_regsql.exe,True CasPol.exe,CasPol.exe,True +ComSvcConfig.exe,ComSvcConfig.exe,True DataSvcUtil.exe,DataSvcUtil.exe,True +DfsrAdmin.exe,DfsrAdmin.exe,True +dfsvc.exe,dfsvc.exe,True +dsac.exe,dsac.exe,True EdmGen.exe,EdmGen.exe,True +FileHistory.exe,FileHistory.exe,True +iediagcmd.exe,IEDiagCmd.exe,True +iisual.exe,iisual.exe,True InstallUtil.exe,InstallUtil.exe,True jsc.exe,jsc.exe,True -ngentask.exe,ngentask.exe,True -ngen.exe,ngen.exe,True -RegAsm.exe,RegAsm.exe,True -RegSvcs.exe,RegSvcs.exe,True -SDNBR.exe,SDNBR.exe,True -acu.exe,acu.exe,True -AppVStreamingUX.exe,,True -dsac.exe,dsac.exe,True LbfoAdmin.exe,LBFOADMIN.EXE,True +Microsoft.ActiveDirectory.WebServices.exe,Microsoft.ActiveDirectory.WebServices.exe,True Microsoft.Uev.SyncController.exe,Microsoft.Uev.SyncController.exe,True +Microsoft.Workflow.Compiler.exe,Microsoft.Workflow.Compiler.exe,True +MSBuild.exe,MSBuild.exe,True mtedit.exe,mtedit.exe,True +ngen.exe,ngen.exe,True +ngentask.exe,ngentask.exe,True +powershell_ise.exe,powershell_ise.EXE,True +RegAsm.exe,RegAsm.exe,True +RegSvcs.exe,RegSvcs.exe,True ScriptRunner.exe,ScriptRunner.exe,True +SDNBR.exe,SDNBR.exe,True +SecureAssessmentBrowser.exe,SecureAssessmentBrowser.exe,True ServerManager.exe,servermanager.dll,True +SMSvcHost.exe,SMSvcHost.exe,True stordiag.exe,stordiag.exe,True storeadm.exe,storeadm.exe,True tzsync.exe,tzsync.exe,True @@ -37,11 +43,5 @@ UevAgentPolicyGenerator.exe,UevAgentPolicyGenerator.exe,True UevAppMonitor.exe,UevAppMonitor.exe,True UevTemplateBaselineGenerator.exe,UevTemplateBaselineGenerator.exe,True UevTemplateConfigItemGenerator.exe,UevTemplateConfigItemGenerator.exe,True -powershell_ise.exe,powershell_ise.EXE,True -iediagcmd.exe,IEDiagCmd.exe,True +WsatConfig.exe,WsatConfig.exe,True XBox.TCUI.exe,XBox.TCUI.exe,True -Microsoft.ActiveDirectory.WebServices.exe,Microsoft.ActiveDirectory.WebServices.exe,True -iisual.exe,iisual.exe,True -FileHistory.exe,FileHistory.exe,True -SecureAssessmentBrowser.exe,SecureAssessmentBrowser.exe,True -aspnet_regiis.exe,aspnet_regiis.exe,True \ No newline at end of file diff --git a/lookups/is_suspicious_file_extension_lookup.yml b/lookups/is_suspicious_file_extension_lookup.yml index 081e048074..e1090242d2 100644 --- a/lookups/is_suspicious_file_extension_lookup.yml +++ b/lookups/is_suspicious_file_extension_lookup.yml @@ -1,6 +1,6 @@ name: is_suspicious_file_extension_lookup -date: 2024-12-23 -version: 2 +date: 2025-12-29 +version: 3 id: 183b3599-4fbd-4b76-bff0-9d689ed05e17 author: Splunk Threat Research Team lookup_type: csv diff --git a/lookups/is_windows_system_file.csv b/lookups/is_windows_system_file.csv index 96617dd524..634984f99e 100644 --- a/lookups/is_windows_system_file.csv +++ b/lookups/is_windows_system_file.csv @@ -1,5 +1,7 @@ filename,systemFile +_isdel.exe,true acu.exe,true +agentactivationruntimestarter.exe,true AgentService.exe,true aitstatic.exe,true alg.exe,true @@ -9,8 +11,11 @@ appidpolicyconverter.exe,true appidtel.exe,true ApplicationFrameHost.exe,true ApplySettingsTemplateCatalog.exe,true +ApplyTrustOffline.exe,true +ApproveChildRequest.exe,true AppVClient.exe,true AppVDllSurrogate.exe,true +appverif.exe,true AppVNice.exe,true AppVStreamingUX.exe,true ARP.EXE,true @@ -18,23 +23,35 @@ at.exe,true AtBroker.exe,true attrib.exe,true audiodg.exe,true +audit.exe,true auditpol.exe,true +AuditShD.exe,true AuthHost.exe,true autochk.exe,true autoconv.exe,true autofmt.exe,true AxInstUI.exe,true +baaupdate.exe,true backgroundTaskHost.exe,true BackgroundTransferHost.exe,true bcastdvr.exe,true bcdboot.exe,true bcdedit.exe,true +bdechangepin.exe,true +BdeHdCfg.exe,true +BdeUISrv.exe,true +bdeunlock.exe,true BioIso.exe,true +BitLockerDeviceEncryption.exe,true +BitLockerWizard.exe,true +BitLockerWizardElev.exe,true bitsadmin.exe,true bootcfg.exe,true bootim.exe,true +bootsect.exe,true bridgeunattend.exe,true browser_broker.exe,true +browserexport.exe,true bthudtask.exe,true ByteCodeGenerator.exe,true cacls.exe,true @@ -54,6 +71,9 @@ chgusr.exe,true chkdsk.exe,true chkntfs.exe,true choice.exe,true +ChsIME.exe,true +ChtIME.exe,true +CIDiag.exe,true cipher.exe,true cleanmgr.exe,true cliconfg.exe,true @@ -73,12 +93,17 @@ comp.exe,true compact.exe,true CompatTelRunner.exe,true CompMgmtLauncher.exe,true +CompPkgSrv.exe,true ComputerDefaults.exe,true +comrepl.exe,true Configure-SMRemoting.exe,true conhost.exe,true consent.exe,true control.exe,true convert.exe,true +convertvhd.exe,true +coredpussvr.exe,true +CredentialEnrollmentManager.exe,true CredentialUIBroker.exe,true credwiz.exe,true cscript.exe,true @@ -86,16 +111,24 @@ csrss.exe,true ctfmon.exe,true cttune.exe,true cttunesvr.exe,true +curl.exe,true +CustomInstallExec.exe,true +d3dconfig.exe,true dasHost.exe,true DataExchangeHost.exe,true DataSenseLiveTileTask.exe,true +DataStoreCacheDumpTool.exe,true +DataUsageLiveTileTask.exe,true dccw.exe,true dcgpofix.exe,true dcomcnfg.exe,true dcpromo.exe,true ddodiag.exe,true Defrag.exe,true +deploymentcsphelper.exe,true +desktopimgdownldr.exe,true DeviceCensus.exe,true +DeviceCredentialDeployment.exe,true DeviceEject.exe,true DeviceEnroller.exe,true DevicePairingWizard.exe,true @@ -103,14 +136,17 @@ DeviceProperties.exe,true DFDWiz.exe,true dfrgui.exe,true dfsrdiag.exe,true +DiagnosticsHub.StandardCollector.Service.exe,true dialer.exe,true DIMC.exe,true +directxdatabaseupdater.exe,true diskpart.exe,true diskperf.exe,true diskraid.exe,true diskshadow.exe,true DiskSnapshot.exe,true Dism.exe,true +DismHost.exe,true dispdiag.exe,true DisplaySwitch.exe,true djoin.exe,true @@ -118,12 +154,14 @@ dllhost.exe,true dllhst3g.exe,true dmcertinst.exe,true dmcfghost.exe,true +dmclient.exe,true DmNotificationBroker.exe,true DmOmaCpMo.exe,true dnscacheugc.exe,true doskey.exe,true dpapimig.exe,true DpiScaling.exe,true +dplaysvr.exe,true dpnsvr.exe,true driverquery.exe,true drvcfg.exe,true @@ -131,21 +169,30 @@ drvinst.exe,true DsmUserTask.exe,true dsregcmd.exe,true dstokenclean.exe,true +dtdump.exe,true +DTUHandler.exe,true +dusmtask.exe,true dvdplay.exe,true dwm.exe,true DWWIN.EXE,true +DXCap.exe,true +DXCpl.exe,true dxdiag.exe,true +dxgiadaptercache.exe,true Dxpserver.exe,true Eap3Host.exe,true EaseOfAccessDialog.exe,true easinvoker.exe,true EasPoliciesBrokerHost.exe,true +EASPolicyManagerBrokerHost.exe,true EDPCleanup.exe,true edpnotify.exe,true +EduPrintProv.exe,true efsui.exe,true EhStorAuthn.exe,true embeddedapplauncher.exe,true EmbeddedAppLauncherConfig.exe,true +EoAExperiences.exe,true escUnattend.exe,true esentutl.exe,true eudcedit.exe,true @@ -153,10 +200,15 @@ eventcreate.exe,true eventvwr.exe,true expand.exe,true extrac32.exe,true +F12Chooser.exe,true +FaceFodUninstaller.exe,true fc.exe,true +fhmanagew.exe,true +FileHistory.exe,true find.exe,true findstr.exe,true finger.exe,true +FirstLogonAnim.exe,true fixmapi.exe,true fltMC.exe,true fodhelper.exe,true @@ -165,9 +217,15 @@ fontdrvhost.exe,true fontview.exe,true forfiles.exe,true fsavailux.exe,true +FsIso.exe,true fsquirt.exe,true fsutil.exe,true ftp.exe,true +fvenotify.exe,true +fveprompt.exe,true +FXSCOVER.exe,true +FXSSVC.exe,true +FXSUNATD.exe,true GameBarPresenceWriter.exe,true GamePanel.exe,true GenValObj.exe,true @@ -176,12 +234,16 @@ gpresult.exe,true gpscript.exe,true gpupdate.exe,true grpconv.exe,true +hcsdiag.exe,true hdwwiz.exe,true help.exe,true +hh.exe,true +hnsdiag.exe,true HOSTNAME.EXE,true hvax64.exe,true hvix64.exe,true hvloader.exe,true +hvsievaluator.exe,true hwrcomp.exe,true hwrreg.exe,true iashost.exe,true @@ -189,12 +251,31 @@ icacls.exe,true IcsEntitlementHost.exe,true icsunattend.exe,true ie4uinit.exe,true +ie4ushowIE.exe,true +IEChooser.exe,true +IESettingSync.exe,true ieUnatt.exe,true iexpress.exe,true +IMCCPHR.exe,true +ImeBroker.exe,true +imecfmui.exe,true +IMEDICTUPDATEUI.EXE,true +IMEPADSV.EXE,true +IMESEARCH.EXE,true +IMEWDBLD.EXE,true +IMJPDCT.EXE,true +IMJPSET.EXE,true +IMJPUEX.EXE,true +imjpuexc.exe,true immersivetpmvscmgrsvr.exe,true +IMTCLNWZ.EXE,true +IMTCPROP.exe,true InfDefaultInstall.exe,true +InputSwitchToastHandler.exe,true InstallAgent.exe,true InstallAgentUserBroker.exe,true +instnm.exe,true +iotstartup.exe,true ipconfig.exe,true iscsicli.exe,true iscsicpl.exe,true @@ -228,9 +309,11 @@ LsaIso.exe,true lsass.exe,true Magnify.exe,true makecab.exe,true +manage-bde.exe,true mavinject.exe,true MbaeParserTask.exe,true mblctr.exe,true +MBR2GPT.EXE,true mcbuilder.exe,true MDEServer.exe,true MDMAgent.exe,true @@ -241,9 +324,19 @@ MdSched.exe,true mfpmp.exe,true Microsoft.Uev.CscUnpinTool.exe,true Microsoft.Uev.SyncController.exe,true +microsoft.windows.softwarelogo.showdesktop.exe,true +MicrosoftEdgeBCHost.exe,true +MicrosoftEdgeCP.exe,true +MicrosoftEdgeDevTools.exe,true +MicrosoftEdgeSH.exe,true +mighost.exe,true +MigRegDB.exe,true mmc.exe,true +mmgaserver.exe,true mobsync.exe,true +mofcomp.exe,true mountvol.exe,true +MoUsoCoreWorker.exe,true mpnotify.exe,true MpSigStub.exe,true MRINFO.EXE,true @@ -258,7 +351,9 @@ msg.exe,true mshta.exe,true msiexec.exe,true msinfo32.exe,true +msoobe.exe,true mspaint.exe,true +msra.exe,true MsSpellCheckingHost.exe,true mstsc.exe,true mtstocom.exe,true @@ -266,9 +361,11 @@ MuiUnattend.exe,true MultiDigiMon.exe,true MusNotification.exe,true MusNotificationUx.exe,true +MusNotifyIcon.exe,true Narrator.exe,true nbtstat.exe,true ndadmin.exe,true +NDKPing.exe,true net.exe,true net1.exe,true netbtugc.exe,true @@ -282,19 +379,28 @@ Netplwiz.exe,true netsh.exe,true NETSTAT.EXE,true newdev.exe,true +NgcIso.exe,true nltest.exe,true +nmbind.exe,true +nmscrub.exe,true notepad.exe,true nslookup.exe,true ntoskrnl.exe,true ntprint.exe,true +nvspinfo.exe,true odbcad32.exe,true odbcconf.exe,true +ofdeploy.exe,true omadmclient.exe,true omadmprc.exe,true +OneDriveSetup.exe,true +oobeldr.exe,true openfiles.exe,true OpenWith.exe,true +OposHost.exe,true OptionalFeatures.exe,true osk.exe,true +pacjsworker.exe,true PackagedCWALauncher.exe,true PackageInspector.exe,true PasswordOnWakeSettingFlyout.exe,true @@ -302,20 +408,30 @@ PATHPING.EXE,true pcalua.exe,true pcaui.exe,true pcwrun.exe,true +PerceptionSimulationInput.exe,true +PerceptionSimulationService.exe,true +perfhost.exe,true perfmon.exe,true phoneactivate.exe,true PickerHost.exe,true +PinEnrollmentBroker.exe,true PING.EXE,true PkgMgr.exe,true +PktMon.exe,true plasrv.exe,true PnPUnattend.exe,true pnputil.exe,true poqexec.exe,true +pospaymentsworker.exe,true powercfg.exe,true +powershell_ise.exe,true +powershell.exe,true PresentationHost.exe,true PresentationSettings.exe,true prevhost.exe,true print.exe,true +PrintBrm.exe,true +PrintBrmEngine.exe,true PrintBrmUi.exe,true PrintDialogHost.exe,true PrintDialogHost3D.exe,true @@ -323,14 +439,22 @@ printfilterpipelinesvc.exe,true PrintIsolationHost.exe,true printui.exe,true proquota.exe,true +provlaunch.exe,true +provtool.exe,true +ProximityUxHost.exe,true +prproc.exe,true psr.exe,true pwlauncher.exe,true qappsrv.exe,true qprocess.exe,true query.exe,true +quickassist.exe,true quser.exe,true qwinsta.exe,true +rasautou.exe,true rasdial.exe,true +raserver.exe,true +rasphone.exe,true rdpclip.exe,true rdpinit.exe,true rdpinput.exe,true @@ -341,10 +465,14 @@ rdpshell.exe,true rdpsign.exe,true rdrleakdiag.exe,true RDSPnf.exe,true +RDVGHelper.exe,true ReAgentc.exe,true +recdisc.exe,true recover.exe,true RecoveryDrive.exe,true +refsutil.exe,true reg.exe,true +regedit.exe,true regedt32.exe,true regini.exe,true Register-CimProvider.exe,true @@ -352,15 +480,18 @@ regsvr32.exe,true rekeywiz.exe,true relog.exe,true RelPost.exe,true +RemoteAppLifetimeManager.exe,true +RemoteFXvGPUDisablement.exe,true RemotePosWorker.exe,true +repair-bde.exe,true replace.exe,true reset.exe,true ResetEngine.exe,true resmon.exe,true -RMActivate.exe,true RMActivate_isv.exe,true -RMActivate_ssp.exe,true RMActivate_ssp_isv.exe,true +RMActivate_ssp.exe,true +RMActivate.exe,true RmClient.exe,true rmttpmvscmgrsvr.exe,true Robocopy.exe,true @@ -368,8 +499,10 @@ ROUTE.EXE,true RpcPing.exe,true rrinstaller.exe,true rsopprov.exe,true +rstrui.exe,true runas.exe,true rundll32.exe,true +runexehelper.exe,true RunLegacyCPLElevated.exe,true runonce.exe,true RuntimeBroker.exe,true @@ -377,8 +510,12 @@ rwinsta.exe,true sacsess.exe,true sc.exe,true schtasks.exe,true +scp.exe,true +scrcons.exe,true ScriptRunner.exe,true sdbinst.exe,true +sdchange.exe,true +sdclt.exe,true sdiagnhost.exe,true SearchFilterHost.exe,true SearchIndexer.exe,true @@ -386,6 +523,9 @@ SearchProtocolHost.exe,true SecEdit.exe,true secinit.exe,true securekernel.exe,true +SecurityHealthHost.exe,true +SecurityHealthService.exe,true +SecurityHealthSystray.exe,true SensorDataService.exe,true ServerManager.exe,true ServerManagerLauncher.exe,true @@ -395,10 +535,14 @@ sethc.exe,true setres.exe,true setspn.exe,true SettingSyncHost.exe,true +setup16.exe,true setupcl.exe,true setupugc.exe,true setx.exe,true sfc.exe,true +sftp.exe,true +SgrmBroker.exe,true +SgrmLpac.exe,true shrpubw.exe,true shutdown.exe,true sigverif.exe,true @@ -415,9 +559,16 @@ snmptrap.exe,true sort.exe,true SpaceAgent.exe,true spaceman.exe,true +SpatialAudioLicenseSrv.exe,true +Spectrum.exe,true +SpeechModelDownload.exe,true +SpeechRuntime.exe,true +SpeechUXWiz.exe,true spoolsv.exe,true SppExtComObj.Exe,true sppsvc.exe,true +srdelayed.exe,true +SrTasks.exe,true stordiag.exe,true subst.exe,true svchost.exe,true @@ -425,6 +576,7 @@ sxstrace.exe,true SyncAppvPublishingServer.exe,true SyncHost.exe,true syskey.exe,true +sysprep.exe,true SysResetErr.exe,true systeminfo.exe,true SystemPropertiesAdvanced.exe,true @@ -435,17 +587,21 @@ SystemPropertiesPerformance.exe,true SystemPropertiesProtection.exe,true SystemPropertiesRemote.exe,true systemreset.exe,true +SystemResetPlatform.exe,true SystemSettingsAdminFlows.exe,true SystemSettingsBroker.exe,true SystemSettingsRemoveDevice.exe,true +SystemUWPLauncher.exe,true systray.exe,true tabcal.exe,true takeown.exe,true TapiUnattend.exe,true +tar.exe,true taskhostw.exe,true taskkill.exe,true tasklist.exe,true Taskmgr.exe,true +tcblaunch.exe,true tcmsetup.exe,true TCPSVCS.EXE,true tdlrecover.exe,true @@ -454,6 +610,7 @@ TieringEngineService.exe,true timeout.exe,true TokenBrokerCookies.exe,true TpmInit.exe,true +TpmTool.exe,true tpmvscmgr.exe,true tpmvscmgrsvr.exe,true tracerpt.exe,true @@ -464,6 +621,8 @@ tsecimp.exe,true tskill.exe,true TSTheme.exe,true TSWbPrxy.exe,true +ttdinject.exe,true +tttracer.exe,true typeperf.exe,true tzsync.exe,true tzutil.exe,true @@ -473,14 +632,24 @@ UevAppMonitor.exe,true UevTemplateBaselineGenerator.exe,true UevTemplateConfigItemGenerator.exe,true UI0Detect.exe,true +UIMgrBroker.exe,true unlodctr.exe,true +UNPUXHost.exe,true +UNPUXLauncher.exe,true unregmp2.exe,true +unsecapp.exe,true +UpdateNotificationMgr.exe,true +upfc.exe,true UpgradeResultsUI.exe,true upnpcont.exe,true +user.exe,true UserAccountBroker.exe,true UserAccountControlSettings.exe,true userinit.exe,true +UserOOBEBroker.exe,true UsoClient.exe,true +usocoreworker.exe,true +UtcDecoderHost.exe,true Utilman.exe,true VaultCmd.exe,true vds.exe,true @@ -488,12 +657,22 @@ vdsldr.exe,true verclsid.exe,true verifier.exe,true verifiergui.exe,true +vfpctrl.exe,true +vmcompute.exe,true +vmwp.exe,true +VsGraphicsDesktopEngine.exe,true +VsGraphicsRemoteEngine.exe,true +vsjitdebugger.exe,true vssadmin.exe,true VSSUIRUN.exe,true VSSVC.exe,true w32tm.exe,true +WaaSMedicAgent.exe,true waitfor.exe,true WallpaperHost.exe,true +wbadmin.exe,true +wbemtest.exe,true +wbengine.exe,true WebCache.exe,true wecutil.exe,true WerFault.exe,true @@ -501,253 +680,64 @@ WerFaultSecure.exe,true wermgr.exe,true wevtutil.exe,true wextract.exe,true +WFS.exe,true where.exe,true whoami.exe,true wiaacmgr.exe,true wiawow64.exe,true +wifitask.exe,true wimserv.exe,true win32calc.exe,true WinBioDataModelOOBE.exe,true +windeploy.exe,true Windows.Media.BackgroundPlayback.exe,true +Windows.WARP.JITService.exe,true WindowsActionDialog.exe,true WindowsUpdateElevatedInstaller.exe,true wininit.exe,true winload.exe,true winlogon.exe,true +WinMgmt.exe,true winresume.exe,true winrs.exe,true winrshost.exe,true +WinRTNetMUAHostServer.exe,true WinSAT.exe,true winver.exe,true wkspbroker.exe,true wksprt.exe,true +wlanext.exe,true +wlms.exe,true wlrmdr.exe,true +WMIADAP.exe,true +WmiApSrv.exe,true +WMIC.exe,true +WmiPrvSE.exe,true WMPDMC.exe,true +WorkFolders.exe,true wowreg32.exe,true +WpcMon.exe,true +WpcTok.exe,true WPDShextAutoplay.exe,true +wpnpinst.exe,true wpr.exe,true write.exe,true +wscadminui.exe,true WSCollect.exe,true wscript.exe,true +wsl.exe,true +wslconfig.exe,true +wslhost.exe,true WSManHTTPConfig.exe,true wsmprovhost.exe,true wsqmcons.exe,true WSReset.exe,true wuapihost.exe,true wuauclt.exe,true +WUDFCompanionHost.exe,true WUDFHost.exe,true wusa.exe,true WWAHost.exe,true XblGameSaveTask.exe,true xcopy.exe,true xwizard.exe,true -comrepl.exe,true -MigRegDB.exe,true -DiagnosticsHub.StandardCollector.Service.exe,true -DismHost.exe,true -F12Chooser.exe,true -IMJPDCT.EXE,true -IMJPSET.EXE,true -IMJPUEX.EXE,true -imjpuexc.exe,true -IMTCLNWZ.EXE,true -IMTCPROP.exe,true -IMCCPHR.exe,true -ImeBroker.exe,true -imecfmui.exe,true -IMEDICTUPDATEUI.EXE,true -IMEPADSV.EXE,true -IMESEARCH.EXE,true -IMEWDBLD.EXE,true -ChsIME.exe,true -ChtIME.exe,true -mighost.exe,true -audit.exe,true -AuditShD.exe,true -FirstLogonAnim.exe,true -msoobe.exe,true -oobeldr.exe,true -Setup.exe,true -UserOOBEBroker.exe,true -windeploy.exe,true -SpeechUXWiz.exe,true -SpeechModelDownload.exe,true -SpeechRuntime.exe,true -PrintBrm.exe,true -PrintBrmEngine.exe,true -sysprep.exe,true -SystemResetPlatform.exe,true -mofcomp.exe,true -scrcons.exe,true -unsecapp.exe,true -wbemtest.exe,true -WinMgmt.exe,true -WMIADAP.exe,true -WmiApSrv.exe,true -WMIC.exe,true -WmiPrvSE.exe,true -powershell.exe,true -powershell_ise.exe,true -dplaysvr.exe,true -dtdump.exe,true -hh.exe,true -instnm.exe,true -perfhost.exe,true -rasautou.exe,true -rasphone.exe,true -regedit.exe,true -setup16.exe,true -user.exe,true -_isdel.exe,true -agentactivationruntimestarter.exe,true -ApplyTrustOffline.exe,true -ApproveChildRequest.exe,true -appverif.exe,true -baaupdate.exe,true -bash.exe,true -bdechangepin.exe,true -BdeHdCfg.exe,true -BdeUISrv.exe,true -bdeunlock.exe,true -BitLockerDeviceEncryption.exe,true -BitLockerWizard.exe,true -BitLockerWizardElev.exe,true -bootsect.exe,true -browserexport.exe,true -CIDiag.exe,true -CompPkgSrv.exe,true -convertvhd.exe,true -coredpussvr.exe,true -CredentialEnrollmentManager.exe,true -curl.exe,true -CustomInstallExec.exe,true -d3dconfig.exe,true -DataStoreCacheDumpTool.exe,true -DataUsageLiveTileTask.exe,true -deploymentcsphelper.exe,true -desktopimgdownldr.exe,true -DeviceCredentialDeployment.exe,true -directxdatabaseupdater.exe,true -dmclient.exe,true -DTUHandler.exe,true -dusmtask.exe,true -DXCap.exe,true -DXCpl.exe,true -dxgiadaptercache.exe,true -EASPolicyManagerBrokerHost.exe,true -EduPrintProv.exe,true -EoAExperiences.exe,true -fhmanagew.exe,true -FileHistory.exe,true -FsIso.exe,true -fvenotify.exe,true -fveprompt.exe,true -FXSCOVER.exe,true -FXSSVC.exe,true -FXSUNATD.exe,true -hcsdiag.exe,true -hnsdiag.exe,true -hvsievaluator.exe,true -ie4ushowIE.exe,true -IESettingSync.exe,true -InputSwitchToastHandler.exe,true -iotstartup.exe,true -manage-bde.exe,true -MBR2GPT.EXE,true -microsoft.windows.softwarelogo.showdesktop.exe,true -MicrosoftEdgeBCHost.exe,true -MicrosoftEdgeCP.exe,true -MicrosoftEdgeDevTools.exe,true -MicrosoftEdgeSH.exe,true -mmgaserver.exe,true -MoUsoCoreWorker.exe,true -msra.exe,true -MusNotifyIcon.exe,true -NDKPing.exe,true -NgcIso.exe,true -nmbind.exe,true -nmscrub.exe,true -nvspinfo.exe,true -ofdeploy.exe,true -pacjsworker.exe,true -PinEnrollmentBroker.exe,true -PktMon.exe,true -pospaymentsworker.exe,true -provlaunch.exe,true -provtool.exe,true -ProximityUxHost.exe,true -prproc.exe,true -quickassist.exe,true -raserver.exe,true -RDVGHelper.exe,true -recdisc.exe,true -refsutil.exe,true -RemoteAppLifetimeManager.exe,true -RemoteFXvGPUDisablement.exe,true -repair-bde.exe,true -rstrui.exe,true -runexehelper.exe,true -sdchange.exe,true -sdclt.exe,true -SecurityHealthHost.exe,true -SecurityHealthService.exe,true -SecurityHealthSystray.exe,true -SgrmBroker.exe,true -SgrmLpac.exe,true -SpatialAudioLicenseSrv.exe,true -Spectrum.exe,true -srdelayed.exe,true -SrTasks.exe,true -SystemUWPLauncher.exe,true -tar.exe,true -tcblaunch.exe,true -TpmTool.exe,true -ttdinject.exe,true -tttracer.exe,true -UIMgrBroker.exe,true -upfc.exe,true -usocoreworker.exe,true -UtcDecoderHost.exe,true -VBoxControl.exe,true -VBoxService.exe,true -VBoxTray.exe,true -vfpctrl.exe,true -vmcompute.exe,true -vmwp.exe,true -VsGraphicsDesktopEngine.exe,true -VsGraphicsRemoteEngine.exe,true -vsjitdebugger.exe,true -WaaSMedicAgent.exe,true -wbadmin.exe,true -wbengine.exe,true -WFS.exe,true -wifitask.exe,true -Windows.WARP.JITService.exe,true -WinRTNetMUAHostServer.exe,true -wlanext.exe,true -WorkFolders.exe,true -WpcMon.exe,true -WpcTok.exe,true -wpnpinst.exe,true -wscadminui.exe,true -wsl.exe,true -wslconfig.exe,true -WUDFCompanionHost.exe,true -IEChooser.exe,true -wslhost.exe,true -scp.exe,true -sftp.exe,true -ssh-add.exe,true -ssh-agent.exe,true -ssh-keygen.exe,true -ssh-keyscan.exe,true -ssh.exe,true -PerceptionSimulationInput.exe,true -PerceptionSimulationService.exe,true -UNPUXHost.exe,true -UNPUXLauncher.exe,true -UpdateNotificationMgr.exe,true -FaceFodUninstaller.exe,true -wlms.exe,true -OneDriveSetup.exe,true -OposHost.exe,true \ No newline at end of file diff --git a/lookups/is_windows_system_file.yml b/lookups/is_windows_system_file.yml index 14303d0a39..de9dbbb9e3 100644 --- a/lookups/is_windows_system_file.yml +++ b/lookups/is_windows_system_file.yml @@ -1,9 +1,9 @@ name: is_windows_system_file -date: 2024-12-23 -version: 2 +date: 2025-12-31 +version: 3 id: ce238622-4d8f-41a4-a747-5d0adab9c854 author: Splunk Threat Research Team lookup_type: csv description: A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10. min_matches: 1 -case_sensitive_match: false \ No newline at end of file +case_sensitive_match: false From 3596cf8251ae510a39d03755ed31a2ad932bd228 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Jan 2026 19:06:45 +0100 Subject: [PATCH 5/7] Update system_processes_run_from_unexpected_locations.yml --- .../endpoint/system_processes_run_from_unexpected_locations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index d33af8940e..2e3f2de426 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -1,6 +1,6 @@ name: System Processes Run From Unexpected Locations id: a34aae96-ccf8-4aef-952c-3ea21444444d -version: 14 +version: 13 date: '2025-12-31' author: David Dorsey, Michael Haag, Nasreddine Bencherchali, Splunk status: production From 6e614f1258562a93018f21b81f5904225c5bd8de Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Sat, 10 Jan 2026 14:47:39 +0100 Subject: [PATCH 6/7] small changes --- .../endpoint/detect_rtlo_in_file_name.yml | 111 ++++++++++-------- ...ing_interpreter_hunting_path_traversal.yml | 84 +++++++------ 2 files changed, 113 insertions(+), 82 deletions(-) diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index 07f4aab7df..9adbf585c6 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -5,7 +5,8 @@ date: '2025-05-02' author: Steven Dick status: production type: TTP -description: The following analytic identifies the use of the right-to-left override +description: | + The following analytic identifies the use of the right-to-left override (RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel, specifically focusing on file creation events and file names containing the RTLO character (U+202E). This activity is significant because adversaries use RTLO to @@ -14,67 +15,81 @@ description: The following analytic identifies the use of the right-to-left over to the execution of harmful files and potential system compromise. data_source: - Sysmon EventID 11 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem - where Filesystem.file_name!=unknown by Filesystem.action Filesystem.dest Filesystem.file_access_time - Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name - Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid - Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex - file_name = "\\x{202E}" | rex field=file_name "(?.+)(?\\x{202E})(?.+)" - | eval file_name_with_RTLO=file_name | eval file_name=RTLO_file_1.RTLO_file_2 | - fields - RTLO* | `detect_rtlo_in_file_name_filter`' -how_to_implement: To successfully implement this search you need to be ingesting information +search: | + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + values(Filesystem.file_create_time) as file_create_time + + from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown + + by Filesystem.action Filesystem.dest Filesystem.file_access_time + Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time + Filesystem.file_name Filesystem.file_path Filesystem.file_acl + Filesystem.file_size Filesystem.process_guid Filesystem.process_id + Filesystem.user Filesystem.vendor_product + + | `drop_dm_object_name(Filesystem)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | regex file_name = "\\x{202E}" + | rex field=file_name "(?.+)(?\\x{202E})(?.+)" + | eval file_name_with_RTLO=file_name + | eval file_name=RTLO_file_1.RTLO_file_2 + | fields - RTLO* + | `detect_rtlo_in_file_name_filter` +how_to_implement: | + To successfully implement this search you need to be ingesting information on process that includes the full command line of the process being launched on your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product. -known_false_positives: Implementation in regions that use right to left in native - language. +known_false_positives: | + Implementation in regions that use right to left in native language. references: -- https://attack.mitre.org/techniques/T1036/002/ -- https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ -- https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html + - https://attack.mitre.org/techniques/T1036/002/ + - https://resources.infosecinstitute.com/topic/spoof-using-right-to-left-override-rtlo-technique-2/ + - https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html drilldown_searches: -- name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", - "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) - as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk - Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) + as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk + Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: message: Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$. risk_objects: - - field: user - type: user - score: 40 - - field: dest - type: system - score: 40 + - field: user + type: user + score: 40 + - field: dest + type: system + score: 40 threat_objects: - - field: file_name - type: file_name + - field: file_name + type: file_name tags: analytic_story: - - Spearphishing Attachments + - Spearphishing Attachments asset_type: Endpoint mitre_attack_id: - - T1036.002 + - T1036.002 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.002/outlook_attachment/rtlo_events.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index e6f093c581..2afbe98ff4 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -1,11 +1,12 @@ name: Windows Command and Scripting Interpreter Hunting Path Traversal id: d0026380-b3c4-4da0-ac8e-02790063ff6b -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-01-10' author: Teoderick Contreras, Michael Haag, Splunk status: production type: Hunting -description: The following analytic identifies path traversal command-line executions, +description: | + The following analytic identifies path traversal command-line executions, leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns in command-line arguments indicative of path traversal techniques, such as multiple instances of "/..", "\..", or "\\..". This activity is significant as it often indicates @@ -14,23 +15,38 @@ description: The following analytic identifies path traversal command-line execu code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network. data_source: -- Sysmon EventID 1 -- Windows Event Log Security 4688 -- CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime FROM datamodel=Endpoint.Processes by Processes.action Processes.dest - Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | eval count_of_pattern1 = (mvcount(split(process,"/.."))-1) | eval count_of_pattern2 - = (mvcount(split(process,"\.."))-1) | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1) - | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) | search count_of_pattern1 - > 1 OR count_of_pattern2 > 1 OR count_of_pattern3 > 1 OR count_of_pattern4 > 1 | - `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`' -how_to_implement: The detection is based on data that originates from Endpoint Detection + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime FROM datamodel=Endpoint.Processes where + Processes.process IN ("*\\..*", "*//..*", "*\..*", "*/..*") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process + Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id + Processes.process_integrity_level Processes.process_name Processes.process_path + Processes.user Processes.user_id Processes.vendor_product + + | `drop_dm_object_name("Processes")` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | eval count_of_pattern1 = (mvcount(split(process,"/.."))-1) + | eval count_of_pattern2 = (mvcount(split(process,"\.."))-1) + | eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1) + | eval count_of_pattern4 = (mvcount(split(process,"//.."))-1) + + | search count_of_pattern1 > 1 + OR + count_of_pattern2 > 1 + OR + count_of_pattern3 > 1 + OR + count_of_pattern4 > 1 + | `windows_command_and_scripting_interpreter_hunting_path_traversal_filter` +how_to_implement: | + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. @@ -39,25 +55,25 @@ how_to_implement: The detection is based on data that originates from Endpoint D the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: false positive may vary depends on the score you want to check. - The bigger number of path traversal string count the better. +known_false_positives: | + False positives may vary depending on the score you want to check. references: -- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ + - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ tags: analytic_story: - - Windows Defense Evasion Tactics - - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 + - Windows Defense Evasion Tactics + - Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 asset_type: Endpoint mitre_attack_id: - - T1059 + - T1059 product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog From c9bd3e8d08b1caa092c4fbf6ea44e8879daed854 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Sat, 10 Jan 2026 14:50:37 +0100 Subject: [PATCH 7/7] Update detect_rtlo_in_file_name.yml --- detections/endpoint/detect_rtlo_in_file_name.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index 9adbf585c6..46596f2573 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -1,7 +1,7 @@ name: Detect RTLO In File Name id: 468b7e11-d362-43b8-b6ec-7a2d3b246678 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-01-10' author: Steven Dick status: production type: TTP