Files With System Process Name In Unsuspected Locations

  1title: Files With System Process Name In Unsuspected Locations
  2id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
  3status: test
  4description: |
  5    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
  6    It is highly recommended to perform an initial baseline before using this rule in production.    
  7references:
  8    - Internal Research
  9author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 10date: 2020-05-26
 11modified: 2026-02-04
 12tags:
 13    - attack.defense-evasion
 14    - attack.t1036.005
 15logsource:
 16    category: file_event
 17    product: windows
 18detection:
 19    selection:
 20        TargetFilename|endswith:
 21            - '\AtBroker.exe'
 22            - '\audiodg.exe'
 23            - '\backgroundTaskHost.exe'
 24            - '\bcdedit.exe'
 25            - '\bitsadmin.exe'
 26            - '\cmdl32.exe'
 27            - '\cmstp.exe'
 28            - '\conhost.exe'
 29            - '\csrss.exe'
 30            - '\dasHost.exe'
 31            - '\dfrgui.exe'
 32            - '\dllhost.exe'
 33            - '\dwm.exe'
 34            - '\eventcreate.exe'
 35            - '\eventvwr.exe'
 36            - '\explorer.exe'
 37            - '\extrac32.exe'
 38            - '\fontdrvhost.exe'
 39            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
 40            - '\ipconfig.exe'
 41            - '\iscsicli.exe'
 42            - '\iscsicpl.exe'
 43            - '\logman.exe'
 44            - '\LogonUI.exe'
 45            - '\LsaIso.exe'
 46            - '\lsass.exe'
 47            - '\lsm.exe'
 48            - '\msiexec.exe'
 49            - '\msinfo32.exe'
 50            - '\mstsc.exe'
 51            - '\nbtstat.exe'
 52            - '\odbcconf.exe'
 53            - '\powershell.exe'
 54            - '\pwsh.exe'
 55            - '\regini.exe'
 56            - '\regsvr32.exe'
 57            - '\rundll32.exe'
 58            - '\RuntimeBroker.exe'
 59            - '\schtasks.exe'
 60            - '\SearchFilterHost.exe'
 61            - '\SearchIndexer.exe'
 62            - '\SearchProtocolHost.exe'
 63            - '\SecurityHealthService.exe'
 64            - '\SecurityHealthSystray.exe'
 65            - '\services.exe'
 66            - '\ShellAppRuntime.exe'
 67            - '\sihost.exe'
 68            - '\smartscreen.exe'
 69            - '\smss.exe'
 70            - '\spoolsv.exe'
 71            - '\svchost.exe'
 72            - '\SystemSettingsBroker.exe'
 73            - '\taskhost.exe'
 74            - '\taskhostw.exe'
 75            - '\Taskmgr.exe'
 76            - '\TiWorker.exe'
 77            - '\vssadmin.exe'
 78            - '\w32tm.exe'
 79            - '\WerFault.exe'
 80            - '\WerFaultSecure.exe'
 81            - '\wermgr.exe'
 82            - '\wevtutil.exe'
 83            - '\wininit.exe'
 84            - '\winlogon.exe'
 85            - '\winrshost.exe'
 86            - '\WinRTNetMUAHostServer.exe'
 87            - '\wlanext.exe'
 88            - '\wlrmdr.exe'
 89            - '\WmiPrvSE.exe'
 90            - '\wslhost.exe'
 91            - '\WSReset.exe'
 92            - '\WUDFHost.exe'
 93            - '\WWAHost.exe'
 94    filter_main_generic:
 95        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
 96        TargetFilename|contains:
 97            # - '\SystemRoot\System32\'
 98            - 'C:\$WINDOWS.~BT\'
 99            - 'C:\$WinREAgent\'
100            - 'C:\Windows\SoftwareDistribution\'
101            - 'C:\Windows\System32\'
102            - 'C:\Windows\SysWOW64\'
103            - 'C:\Windows\WinSxS\'
104            - 'C:\Windows\uus\'
105    filter_main_tiworker:
106        Image|endswith:
107            - '\TiWorker.exe'
108            - '\wuaucltcore.exe'
109        TargetFilename|startswith: 'C:\Windows\Temp\'
110    filter_main_svchost:
111        Image|endswith:
112            - 'C:\Windows\system32\svchost.exe'
113            - 'C:\Windows\SysWOW64\svchost.exe'
114        TargetFilename|contains:
115            - 'C:\Program Files\WindowsApps\'
116            - 'C:\Program Files (x86)\WindowsApps\'
117            - '\AppData\Local\Microsoft\WindowsApps\'
118    filter_main_wuauclt:
119        Image:
120            - 'C:\Windows\System32\wuauclt.exe'
121            - 'C:\Windows\SysWOW64\wuauclt.exe'
122            - 'C:\Windows\UUS\arm64\wuaucltcore.exe'
123    filter_main_explorer:
124        TargetFilename|endswith: 'C:\Windows\explorer.exe'
125    filter_main_msiexec:
126        # This filter handles system processes who are updated/installed using misexec.
127        Image|endswith:
128            - 'C:\WINDOWS\system32\msiexec.exe'
129            - 'C:\WINDOWS\SysWOW64\msiexec.exe'
130        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
131        TargetFilename|startswith:
132            - 'C:\Program Files\PowerShell\7\pwsh.exe'
133            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
134            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
135    filter_main_healtray:
136        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
137        TargetFilename|endswith: '\SecurityHealthSystray.exe'
138        Image|endswith: '\SecurityHealthSetup.exe'
139    condition: selection and not 1 of filter_main_*
140falsepositives:
141    - System processes copied outside their default folders for testing purposes
142    - Third party software naming their software with the same names as the processes mentioned here
143# Note: Upgrade to high after an initial baseline to your environement.
144level: medium
145regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml