← Back to SOC feed Coverage →

Writing Of Malicious Files To The Fonts Folder

sigma MEDIUM SigmaHQ
T1211T1059
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T11:00:00Z · Confidence: medium

Hunt Hypothesis

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn’t require admin privillege to be written and executed from.

Detection Rule

Sigma (Original)

title: Writing Of Malicious Files To The Fonts Folder
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
status: test
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
references:
    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
author: Sreeman
date: 2020-04-21
modified: 2022-03-08
tags:
    - attack.stealth
    - attack.t1211
    - attack.t1059
    - attack.persistence
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_1:
        CommandLine|contains:
            - 'echo'
            - 'copy'
            - 'type'
            - 'file createnew'
            - 'cacls'
    selection_2:
        CommandLine|contains: 'C:\Windows\Fonts\'
    selection_3:
        CommandLine|contains:
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh'
            - '.reg'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
            - '.inf'
            - '.cpl'
            - '.hta'
            - '.msi'
            - '.vbs'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "echo" or TargetProcessCommandLine contains "copy" or TargetProcessCommandLine contains "type" or TargetProcessCommandLine contains "file createnew" or TargetProcessCommandLine contains "cacls") and TargetProcessCommandLine contains "C:\\Windows\\Fonts\\" and (TargetProcessCommandLine contains ".sh" or TargetProcessCommandLine contains ".exe" or TargetProcessCommandLine contains ".dll" or TargetProcessCommandLine contains ".bin" or TargetProcessCommandLine contains ".bat" or TargetProcessCommandLine contains ".cmd" or TargetProcessCommandLine contains ".js" or TargetProcessCommandLine contains ".msh" or TargetProcessCommandLine contains ".reg" or TargetProcessCommandLine contains ".scr" or TargetProcessCommandLine contains ".ps" or TargetProcessCommandLine contains ".vb" or TargetProcessCommandLine contains ".jar" or TargetProcessCommandLine contains ".pl" or TargetProcessCommandLine contains ".inf" or TargetProcessCommandLine contains ".cpl" or TargetProcessCommandLine contains ".hta" or TargetProcessCommandLine contains ".msi" or TargetProcessCommandLine contains ".vbs")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml