Files With System Process Name In Unsuspected Locations

  1title: Files With System Process Name In Unsuspected Locations
  2id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
  3status: test
  4description: |
  5    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
  6    It is highly recommended to perform an initial baseline before using this rule in production.    
  7references:
  8    - Internal Research
  9author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 10date: 2020-05-26
 11modified: 2025-12-03
 12tags:
 13    - attack.defense-evasion
 14    - attack.t1036.005
 15logsource:
 16    category: file_event
 17    product: windows
 18detection:
 19    selection:
 20        TargetFilename|endswith:
 21            - '\AtBroker.exe'
 22            - '\audiodg.exe'
 23            - '\backgroundTaskHost.exe'
 24            - '\bcdedit.exe'
 25            - '\bitsadmin.exe'
 26            - '\cmdl32.exe'
 27            - '\cmstp.exe'
 28            - '\conhost.exe'
 29            - '\csrss.exe'
 30            - '\dasHost.exe'
 31            - '\dfrgui.exe'
 32            - '\dllhost.exe'
 33            - '\dwm.exe'
 34            - '\eventcreate.exe'
 35            - '\eventvwr.exe'
 36            - '\explorer.exe'
 37            - '\extrac32.exe'
 38            - '\fontdrvhost.exe'
 39            - '\ipconfig.exe'
 40            - '\iscsicli.exe'
 41            - '\iscsicpl.exe'
 42            - '\logman.exe'
 43            - '\LogonUI.exe'
 44            - '\LsaIso.exe'
 45            - '\lsass.exe'
 46            - '\lsm.exe'
 47            - '\msiexec.exe'
 48            - '\msinfo32.exe'
 49            - '\mstsc.exe'
 50            - '\nbtstat.exe'
 51            - '\odbcconf.exe'
 52            - '\powershell.exe'
 53            - '\pwsh.exe'
 54            - '\regini.exe'
 55            - '\regsvr32.exe'
 56            - '\rundll32.exe'
 57            - '\RuntimeBroker.exe'
 58            - '\schtasks.exe'
 59            - '\SearchFilterHost.exe'
 60            - '\SearchIndexer.exe'
 61            - '\SearchProtocolHost.exe'
 62            - '\SecurityHealthService.exe'
 63            - '\SecurityHealthSystray.exe'
 64            - '\services.exe'
 65            - '\ShellAppRuntime.exe'
 66            - '\sihost.exe'
 67            - '\smartscreen.exe'
 68            - '\smss.exe'
 69            - '\spoolsv.exe'
 70            - '\svchost.exe'
 71            - '\SystemSettingsBroker.exe'
 72            - '\taskhost.exe'
 73            - '\taskhostw.exe'
 74            - '\Taskmgr.exe'
 75            - '\TiWorker.exe'
 76            - '\vssadmin.exe'
 77            - '\w32tm.exe'
 78            - '\WerFault.exe'
 79            - '\WerFaultSecure.exe'
 80            - '\wermgr.exe'
 81            - '\wevtutil.exe'
 82            - '\wininit.exe'
 83            - '\winlogon.exe'
 84            - '\winrshost.exe'
 85            - '\WinRTNetMUAHostServer.exe'
 86            - '\wlanext.exe'
 87            - '\wlrmdr.exe'
 88            - '\WmiPrvSE.exe'
 89            - '\wslhost.exe'
 90            - '\WSReset.exe'
 91            - '\WUDFHost.exe'
 92            - '\WWAHost.exe'
 93    filter_main_generic:
 94        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
 95        TargetFilename|contains:
 96            # - '\SystemRoot\System32\'
 97            - 'C:\$WINDOWS.~BT\'
 98            - 'C:\$WinREAgent\'
 99            - 'C:\Windows\SoftwareDistribution\'
100            - 'C:\Windows\System32\'
101            - 'C:\Windows\SysWOW64\'
102            - 'C:\Windows\WinSxS\'
103            - 'C:\Windows\uus\'
104    filter_main_tiworker:
105        Image|endswith:
106            - '\TiWorker.exe'
107            - '\wuaucltcore.exe'
108        TargetFilename|startswith: 'C:\Windows\Temp\'
109    filter_main_svchost:
110        Image|endswith:
111            - 'C:\Windows\system32\svchost.exe'
112            - 'C:\Windows\SysWOW64\svchost.exe'
113        TargetFilename|contains:
114            - 'C:\Program Files\WindowsApps\'
115            - 'C:\Program Files (x86)\WindowsApps\'
116            - '\AppData\Local\Microsoft\WindowsApps\'
117    filter_main_wuauclt:
118        Image:
119            - 'C:\Windows\System32\wuauclt.exe'
120            - 'C:\Windows\SysWOW64\wuauclt.exe'
121            - 'C:\Windows\UUS\arm64\wuaucltcore.exe'
122    filter_main_explorer:
123        TargetFilename|endswith: 'C:\Windows\explorer.exe'
124    filter_main_msiexec:
125        # This filter handles system processes who are updated/installed using misexec.
126        Image|endswith:
127            - 'C:\WINDOWS\system32\msiexec.exe'
128            - 'C:\WINDOWS\SysWOW64\msiexec.exe'
129        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
130        TargetFilename|startswith:
131            - 'C:\Program Files\PowerShell\7\pwsh.exe'
132            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
133            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
134    filter_main_healtray:
135        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
136        TargetFilename|endswith: '\SecurityHealthSystray.exe'
137        Image|endswith: '\SecurityHealthSetup.exe'
138    condition: selection and not 1 of filter_main_*
139falsepositives:
140    - System processes copied outside their default folders for testing purposes
141    - Third party software naming their software with the same names as the processes mentioned here
142# Note: Upgrade to high after an initial baseline to your environement.
143level: medium
144regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml