Processes executing binaries named after legitimate system utilities (e.g., net.exe, findstr.exe, python.exe) from non-standard or application-specific directories, combined with file creation or modification events for such binaries. Defender correlates file writes in vulnerable directories, process execution paths inconsistent with baseline system paths, and abnormal parent-child relationships in process lineage.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | WinEventLog:Sysmon | EventCode=15 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| SuspiciousBinaryList | Common system utilities often hijacked (e.g., net.exe, cmd.exe, powershell.exe, python.exe). |
| MonitoredDirectories | Directories where executables should not normally be written (e.g., application folders, user profile subdirs). |
| TimeWindow | Correlation window between file creation and subsequent process execution. |
| ParentProcessBaseline | Expected parent processes for critical system binaries, deviations may indicate hijacking. |