Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Sigma rule (View on GitHub)

  1title: Files With System Process Name In Unsuspected Locations
  2id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
  3status: test
  4description: |
  5    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
  6    It is highly recommended to perform an initial baseline before using this rule in production.    
  7references:
  8    - Internal Research
  9author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 10date: 2020-05-26
 11modified: 2025-10-07
 12tags:
 13    - attack.defense-evasion
 14    - attack.t1036.005
 15logsource:
 16    category: file_event
 17    product: windows
 18detection:
 19    selection:
 20        TargetFilename|endswith:
 21            - '\AtBroker.exe'
 22            - '\audiodg.exe'
 23            - '\backgroundTaskHost.exe'
 24            - '\bcdedit.exe'
 25            - '\bitsadmin.exe'
 26            - '\cmdl32.exe'
 27            - '\cmstp.exe'
 28            - '\conhost.exe'
 29            - '\csrss.exe'
 30            - '\dasHost.exe'
 31            - '\dfrgui.exe'
 32            - '\dllhost.exe'
 33            - '\dwm.exe'
 34            - '\eventcreate.exe'
 35            - '\eventvwr.exe'
 36            - '\explorer.exe'
 37            - '\extrac32.exe'
 38            - '\fontdrvhost.exe'
 39            - '\ipconfig.exe'
 40            - '\iscsicli.exe'
 41            - '\iscsicpl.exe'
 42            - '\logman.exe'
 43            - '\LogonUI.exe'
 44            - '\LsaIso.exe'
 45            - '\lsass.exe'
 46            - '\lsm.exe'
 47            - '\msiexec.exe'
 48            - '\msinfo32.exe'
 49            - '\mstsc.exe'
 50            - '\nbtstat.exe'
 51            - '\odbcconf.exe'
 52            - '\powershell.exe'
 53            - '\pwsh.exe'
 54            - '\regini.exe'
 55            - '\regsvr32.exe'
 56            - '\rundll32.exe'
 57            - '\RuntimeBroker.exe'
 58            - '\schtasks.exe'
 59            - '\SearchFilterHost.exe'
 60            - '\SearchIndexer.exe'
 61            - '\SearchProtocolHost.exe'
 62            - '\SecurityHealthService.exe'
 63            - '\SecurityHealthSystray.exe'
 64            - '\services.exe'
 65            - '\ShellAppRuntime.exe'
 66            - '\sihost.exe'
 67            - '\smartscreen.exe'
 68            - '\smss.exe'
 69            - '\spoolsv.exe'
 70            - '\svchost.exe'
 71            - '\SystemSettingsBroker.exe'
 72            - '\taskhost.exe'
 73            - '\taskhostw.exe'
 74            - '\Taskmgr.exe'
 75            - '\TiWorker.exe'
 76            - '\vssadmin.exe'
 77            - '\w32tm.exe'
 78            - '\WerFault.exe'
 79            - '\WerFaultSecure.exe'
 80            - '\wermgr.exe'
 81            - '\wevtutil.exe'
 82            - '\wininit.exe'
 83            - '\winlogon.exe'
 84            - '\winrshost.exe'
 85            - '\WinRTNetMUAHostServer.exe'
 86            - '\wlanext.exe'
 87            - '\wlrmdr.exe'
 88            - '\WmiPrvSE.exe'
 89            - '\wslhost.exe'
 90            - '\WSReset.exe'
 91            - '\WUDFHost.exe'
 92            - '\WWAHost.exe'
 93    filter_main_generic:
 94        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
 95        TargetFilename|contains:
 96            # - '\SystemRoot\System32\'
 97            - 'C:\$WINDOWS.~BT\'
 98            - 'C:\$WinREAgent\'
 99            - 'C:\Windows\SoftwareDistribution\'
100            - 'C:\Windows\System32\'
101            - 'C:\Windows\SysWOW64\'
102            - 'C:\Windows\WinSxS\'
103            - 'C:\Windows\uus\'
104    filter_main_svchost:
105        Image|endswith:
106            - 'C:\Windows\system32\svchost.exe'
107            - 'C:\Windows\SysWOW64\svchost.exe'
108        TargetFilename|contains:
109            - 'C:\Program Files\WindowsApps\'
110            - 'C:\Program Files (x86)\WindowsApps\'
111            - '\AppData\Local\Microsoft\WindowsApps\'
112    filter_main_wuauclt:
113        Image|endswith:
114            - 'C:\Windows\System32\wuauclt.exe'
115            - 'C:\Windows\SysWOW64\wuauclt.exe'
116    filter_main_explorer:
117        TargetFilename|endswith: 'C:\Windows\explorer.exe'
118    filter_main_msiexec:
119        # This filter handles system processes who are updated/installed using misexec.
120        Image|endswith:
121            - 'C:\WINDOWS\system32\msiexec.exe'
122            - 'C:\WINDOWS\SysWOW64\msiexec.exe'
123        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
124        TargetFilename|startswith:
125            - 'C:\Program Files\PowerShell\7\pwsh.exe'
126            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
127            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
128    filter_main_healtray:
129        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
130        TargetFilename|endswith: '\SecurityHealthSystray.exe'
131        Image|endswith: '\SecurityHealthSetup.exe'
132    condition: selection and not 1 of filter_main_*
133falsepositives:
134    - System processes copied outside their default folders for testing purposes
135    - Third party software naming their software with the same names as the processes mentioned here
136# Note: Upgrade to high after an initial baseline to your environement.
137level: medium

References

Related rules

to-top