Query Details
Unsgined Executionsfromuserdirectories
Query
# Rule : Detection of Unsigned Executable Launches from User Directories
## Description
This detection rule identifies instances where unsigned or suspiciously signed executable files (`.exe`) are launched from common user directories—such as `\Users\`, `\Downloads\`, `\AppData\`, and `\Temp\`—by typical user-facing applications like **Explorer**, **Google Chrome**, or **Microsoft Edge**. Such behavior is often indicative of malicious activity, where attackers trick users into downloading and executing harmful payloads through familiar applications.
The relevance of this detection is underscored by incidents like the **Fake Zoom Installer** campaign, where users were deceived into downloading a malicious Zoom installer. This installer executed additional payloads, leading to severe compromises, including ransomware deployment. Monitoring for unsigned executables originating from user directories can help in early detection of such deceptive tactics.
- [Fake Zoom Ends in BlackSuit Ransomware](https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/)
## Detection Logic
- **Monitored Directories:**
- `\Users\`
- `\Downloads\`
- `\AppData\`
- `\Temp\`
- **Signature Status:**
- `Unknown`
- `Unsigned`
- `Invalid`
- **File Type:**
- Files ending with `.exe`
- **Exclusions:**
- Processes associated with known legitimate software, such as:
- **Telegram** (`Telegram FZ-LLC`)
- **Zoom**
- **Initiating Processes:**
- `explorer.exe`
- `chrome.exe`
- `msedge.exe`
## Tags
- Unsigned Executables
- User Directory Execution
- Initial Access
- Malware Delivery
- Windows Security
- Fake Installer Detection
## Search Query
```kql
DeviceProcessEvents
| where FolderPath has_any ("\\Users\\", "\\Downloads\\", "\\AppData\\", "\\Temp\\")
| where InitiatingProcessSignatureStatus in ("Unknown", "Unsigned", "Invalid")
| where FileName endswith ".exe"
| where ProcessVersionInfoCompanyName != "Telegram FZ-LLC"
| where ProcessVersionInfoProductName != "Zoom"
| where InitiatingProcessVersionInfoFileDescription != "Google Chrome"
| where InitiatingProcessFileName in~ ("explorer.exe", "chrome.exe", "msedge.exe")
```
## Notes
Exclude and fine tune in your enviroment
Explanation
This query is designed to detect potentially malicious activity on a Windows system by identifying when unsigned or suspiciously signed executable files are launched from common user directories. Here's a simplified breakdown:
-
Purpose: The query aims to catch instances where potentially harmful executable files are run from user directories, which is a common tactic used by attackers to trick users into executing malicious software.
-
Monitored Directories: It focuses on files located in directories typically used by users, such as:
\Users\\Downloads\\AppData\\Temp\
-
Signature Status: It looks for executables with a signature status of:
UnknownUnsignedInvalid
-
File Type: The query specifically targets files with the
.exeextension, which are executable files. -
Exclusions: To reduce false positives, it excludes processes associated with known legitimate software, such as:
- Telegram
- Zoom
-
Initiating Processes: It checks if the executables were launched by common user-facing applications like:
- Windows Explorer (
explorer.exe) - Google Chrome (
chrome.exe) - Microsoft Edge (
msedge.exe)
- Windows Explorer (
-
Tags: The query is tagged with terms related to security threats, such as unsigned executables, malware delivery, and fake installer detection.
-
Actionable Insight: By monitoring these parameters, security teams can detect and respond to potential threats early, such as those involving fake installers that lead to malware or ransomware infections.
Overall, this query helps in identifying suspicious activities that could indicate an initial access attempt by attackers through deceptive means.
Details
Ali Hussein
Released: April 9, 2025
Tables
Keywords
Operators