Process Execution from an Unusual Directory
Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/30"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide
13malware in trusted paths.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Process Execution from an Unusual Directory"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24risk_score = 47
25rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32process where host.os.type == "windows" and event.type == "start" and
33 /* add suspicious execution paths here */
34process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Windows\\Tasks\\*.exe","C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe","C:\\Windows\\AppReadiness\\*.exe",
35"C:\\Windows\\ServiceState\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\IdentityCRL\\*.exe","C:\\Windows\\Branding\\*.exe","C:\\Windows\\csc\\*.exe",
36 "C:\\Windows\\DigitalLocker\\*.exe","C:\\Windows\\en-US\\*.exe","C:\\Windows\\wlansvc\\*.exe","C:\\Windows\\Prefetch\\*.exe","C:\\Windows\\Fonts\\*.exe",
37 "C:\\Windows\\diagnostics\\*.exe","C:\\Windows\\TAPI\\*.exe","C:\\Windows\\INF\\*.exe","C:\\Windows\\System32\\Speech\\*.exe","C:\\windows\\tracing\\*.exe",
38 "c:\\windows\\IME\\*.exe","c:\\Windows\\Performance\\*.exe","c:\\windows\\intel\\*.exe","c:\\windows\\ms\\*.exe","C:\\Windows\\dot3svc\\*.exe",
39 "C:\\Windows\\panther\\*.exe","C:\\Windows\\RemotePackages\\*.exe","C:\\Windows\\OCR\\*.exe","C:\\Windows\\appcompat\\*.exe","C:\\Windows\\apppatch\\*.exe","C:\\Windows\\addins\\*.exe",
40 "C:\\Windows\\Setup\\*.exe","C:\\Windows\\Help\\*.exe","C:\\Windows\\SKB\\*.exe","C:\\Windows\\Vss\\*.exe","C:\\Windows\\Web\\*.exe","C:\\Windows\\servicing\\*.exe","C:\\Windows\\CbsTemp\\*.exe",
41 "C:\\Windows\\Logs\\*.exe","C:\\Windows\\WaaS\\*.exe","C:\\Windows\\ShellExperiences\\*.exe","C:\\Windows\\ShellComponents\\*.exe","C:\\Windows\\PLA\\*.exe",
42 "C:\\Windows\\Migration\\*.exe","C:\\Windows\\debug\\*.exe","C:\\Windows\\Cursors\\*.exe","C:\\Windows\\Containers\\*.exe","C:\\Windows\\Boot\\*.exe","C:\\Windows\\bcastdvr\\*.exe",
43 "C:\\Windows\\assembly\\*.exe","C:\\Windows\\TextInput\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\schemas\\*.exe","C:\\Windows\\SchCache\\*.exe","C:\\Windows\\Resources\\*.exe",
44 "C:\\Windows\\rescache\\*.exe","C:\\Windows\\Provisioning\\*.exe","C:\\Windows\\PrintDialog\\*.exe","C:\\Windows\\PolicyDefinitions\\*.exe","C:\\Windows\\media\\*.exe",
45 "C:\\Windows\\Globalization\\*.exe","C:\\Windows\\L2Schemas\\*.exe","C:\\Windows\\LiveKernelReports\\*.exe","C:\\Windows\\ModemLogs\\*.exe","C:\\Windows\\ImmersiveControlPanel\\*.exe") and
46 not process.name : ("SpeechUXWiz.exe","SystemSettings.exe","TrustedInstaller.exe","PrintDialog.exe","MpSigStub.exe","LMS.exe","mpam-*.exe") and
47 not process.executable :
48 ("?:\\Intel\\Wireless\\WUSetupLauncher.exe",
49 "?:\\Intel\\Wireless\\Setup.exe",
50 "?:\\Intel\\Move Mouse.exe",
51 "?:\\windows\\Panther\\DiagTrackRunner.exe",
52 "?:\\Windows\\servicing\\GC64\\tzupd.exe",
53 "?:\\Users\\Public\\res\\RemoteLite.exe",
54 "?:\\Users\\Public\\IBM\\ClientSolutions\\*.exe",
55 "?:\\Users\\Public\\Documents\\syspin.exe",
56 "?:\\Users\\Public\\res\\FileWatcher.exe")
57 /* uncomment once in winlogbeat */
58 /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */
59'''
60
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1036"
66name = "Masquerading"
67reference = "https://attack.mitre.org/techniques/T1036/"
68[[rule.threat.technique.subtechnique]]
69id = "T1036.005"
70name = "Match Legitimate Name or Location"
71reference = "https://attack.mitre.org/techniques/T1036/005/"
72
73
74
75[rule.threat.tactic]
76id = "TA0005"
77name = "Defense Evasion"
78reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools