Executables written or modified in installer directories (e.g., %TEMP% subdirectories or Program Files installer paths) followed by execution under elevated context. Defender observes abnormal file replacement activity, process creation by installer processes pointing to attacker-supplied binaries, and unexpected module loads in elevated processes.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| MonitoredDirectories | Specific writable directories to monitor (e.g., %TEMP%, C:\ProgramData, installer unpack paths). |
| HashBaseline | Known good hashes of installer binaries to detect replacement. |
| TimeWindow | Correlation interval between file overwrite and execution event. |
| UserContext | Differentiate expected admin-installer execution vs. anomalous user writes. |