Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Sigma rule (View on GitHub)
1title: Files With System Process Name In Unsuspected Locations
2id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
3status: test
4description: |
5 Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
6 It is highly recommended to perform an initial baseline before using this rule in production.
7references:
8 - Internal Research
9author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
10date: 2020-05-26
11modified: 2025-10-07
12tags:
13 - attack.defense-evasion
14 - attack.t1036.005
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection:
20 TargetFilename|endswith:
21 - '\AtBroker.exe'
22 - '\audiodg.exe'
23 - '\backgroundTaskHost.exe'
24 - '\bcdedit.exe'
25 - '\bitsadmin.exe'
26 - '\cmdl32.exe'
27 - '\cmstp.exe'
28 - '\conhost.exe'
29 - '\csrss.exe'
30 - '\dasHost.exe'
31 - '\dfrgui.exe'
32 - '\dllhost.exe'
33 - '\dwm.exe'
34 - '\eventcreate.exe'
35 - '\eventvwr.exe'
36 - '\explorer.exe'
37 - '\extrac32.exe'
38 - '\fontdrvhost.exe'
39 - '\ipconfig.exe'
40 - '\iscsicli.exe'
41 - '\iscsicpl.exe'
42 - '\logman.exe'
43 - '\LogonUI.exe'
44 - '\LsaIso.exe'
45 - '\lsass.exe'
46 - '\lsm.exe'
47 - '\msiexec.exe'
48 - '\msinfo32.exe'
49 - '\mstsc.exe'
50 - '\nbtstat.exe'
51 - '\odbcconf.exe'
52 - '\powershell.exe'
53 - '\pwsh.exe'
54 - '\regini.exe'
55 - '\regsvr32.exe'
56 - '\rundll32.exe'
57 - '\RuntimeBroker.exe'
58 - '\schtasks.exe'
59 - '\SearchFilterHost.exe'
60 - '\SearchIndexer.exe'
61 - '\SearchProtocolHost.exe'
62 - '\SecurityHealthService.exe'
63 - '\SecurityHealthSystray.exe'
64 - '\services.exe'
65 - '\ShellAppRuntime.exe'
66 - '\sihost.exe'
67 - '\smartscreen.exe'
68 - '\smss.exe'
69 - '\spoolsv.exe'
70 - '\svchost.exe'
71 - '\SystemSettingsBroker.exe'
72 - '\taskhost.exe'
73 - '\taskhostw.exe'
74 - '\Taskmgr.exe'
75 - '\TiWorker.exe'
76 - '\vssadmin.exe'
77 - '\w32tm.exe'
78 - '\WerFault.exe'
79 - '\WerFaultSecure.exe'
80 - '\wermgr.exe'
81 - '\wevtutil.exe'
82 - '\wininit.exe'
83 - '\winlogon.exe'
84 - '\winrshost.exe'
85 - '\WinRTNetMUAHostServer.exe'
86 - '\wlanext.exe'
87 - '\wlrmdr.exe'
88 - '\WmiPrvSE.exe'
89 - '\wslhost.exe'
90 - '\WSReset.exe'
91 - '\WUDFHost.exe'
92 - '\WWAHost.exe'
93 filter_main_generic:
94 # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
95 TargetFilename|contains:
96 # - '\SystemRoot\System32\'
97 - 'C:\$WINDOWS.~BT\'
98 - 'C:\$WinREAgent\'
99 - 'C:\Windows\SoftwareDistribution\'
100 - 'C:\Windows\System32\'
101 - 'C:\Windows\SysWOW64\'
102 - 'C:\Windows\WinSxS\'
103 - 'C:\Windows\uus\'
104 filter_main_svchost:
105 Image|endswith:
106 - 'C:\Windows\system32\svchost.exe'
107 - 'C:\Windows\SysWOW64\svchost.exe'
108 TargetFilename|contains:
109 - 'C:\Program Files\WindowsApps\'
110 - 'C:\Program Files (x86)\WindowsApps\'
111 - '\AppData\Local\Microsoft\WindowsApps\'
112 filter_main_wuauclt:
113 Image|endswith:
114 - 'C:\Windows\System32\wuauclt.exe'
115 - 'C:\Windows\SysWOW64\wuauclt.exe'
116 filter_main_explorer:
117 TargetFilename|endswith: 'C:\Windows\explorer.exe'
118 filter_main_msiexec:
119 # This filter handles system processes who are updated/installed using misexec.
120 Image|endswith:
121 - 'C:\WINDOWS\system32\msiexec.exe'
122 - 'C:\WINDOWS\SysWOW64\msiexec.exe'
123 # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
124 TargetFilename|startswith:
125 - 'C:\Program Files\PowerShell\7\pwsh.exe'
126 - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
127 - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
128 filter_main_healtray:
129 TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
130 TargetFilename|endswith: '\SecurityHealthSystray.exe'
131 Image|endswith: '\SecurityHealthSetup.exe'
132 condition: selection and not 1 of filter_main_*
133falsepositives:
134 - System processes copied outside their default folders for testing purposes
135 - Third party software naming their software with the same names as the processes mentioned here
136# Note: Upgrade to high after an initial baseline to your environement.
137level: medium
References
Related rules
- Scheduled Task Creation Masquerading as System Processes
- Suspicious Process Masquerading As SvcHost.EXE
- Creation Of Pod In System Namespace
- Potential Binary Impersonating Sysinternals Tools
- Windows Processes Suspicious Parent Directory