Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Sigma rule (View on GitHub)

  1title: Files With System Process Name In Unsuspected Locations
  2id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
  3status: test
  4description: |
  5    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
  6    It is highly recommended to perform an initial baseline before using this rule in production.    
  7references:
  8    - Internal Research
  9author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 10date: 2020-05-26
 11modified: 2024-06-24
 12tags:
 13    - attack.defense-evasion
 14    - attack.t1036.005
 15logsource:
 16    category: file_event
 17    product: windows
 18detection:
 19    selection:
 20        TargetFilename|endswith:
 21            - '\AtBroker.exe'
 22            - '\audiodg.exe'
 23            - '\backgroundTaskHost.exe'
 24            - '\bcdedit.exe'
 25            - '\bitsadmin.exe'
 26            - '\cmdl32.exe'
 27            - '\cmstp.exe'
 28            - '\conhost.exe'
 29            - '\csrss.exe'
 30            - '\dasHost.exe'
 31            - '\dfrgui.exe'
 32            - '\dllhost.exe'
 33            - '\dwm.exe'
 34            - '\eventcreate.exe'
 35            - '\eventvwr.exe'
 36            - '\explorer.exe'
 37            - '\extrac32.exe'
 38            - '\fontdrvhost.exe'
 39            - '\ipconfig.exe'
 40            - '\iscsicli.exe'
 41            - '\iscsicpl.exe'
 42            - '\logman.exe'
 43            - '\LogonUI.exe'
 44            - '\LsaIso.exe'
 45            - '\lsass.exe'
 46            - '\lsm.exe'
 47            - '\msiexec.exe'
 48            - '\msinfo32.exe'
 49            - '\mstsc.exe'
 50            - '\nbtstat.exe'
 51            - '\odbcconf.exe'
 52            - '\powershell.exe'
 53            - '\pwsh.exe'
 54            - '\regini.exe'
 55            - '\regsvr32.exe'
 56            - '\rundll32.exe'
 57            - '\RuntimeBroker.exe'
 58            - '\schtasks.exe'
 59            - '\SearchFilterHost.exe'
 60            - '\SearchIndexer.exe'
 61            - '\SearchProtocolHost.exe'
 62            - '\SecurityHealthService.exe'
 63            - '\SecurityHealthSystray.exe'
 64            - '\services.exe'
 65            - '\ShellAppRuntime.exe'
 66            - '\sihost.exe'
 67            - '\smartscreen.exe'
 68            - '\smss.exe'
 69            - '\spoolsv.exe'
 70            - '\svchost.exe'
 71            - '\SystemSettingsBroker.exe'
 72            - '\taskhost.exe'
 73            - '\taskhostw.exe'
 74            - '\Taskmgr.exe'
 75            - '\TiWorker.exe'
 76            - '\vssadmin.exe'
 77            - '\w32tm.exe'
 78            - '\WerFault.exe'
 79            - '\WerFaultSecure.exe'
 80            - '\wermgr.exe'
 81            - '\wevtutil.exe'
 82            - '\wininit.exe'
 83            - '\winlogon.exe'
 84            - '\winrshost.exe'
 85            - '\WinRTNetMUAHostServer.exe'
 86            - '\wlanext.exe'
 87            - '\wlrmdr.exe'
 88            - '\WmiPrvSE.exe'
 89            - '\wslhost.exe'
 90            - '\WSReset.exe'
 91            - '\WUDFHost.exe'
 92            - '\WWAHost.exe'
 93    filter_main_generic:
 94        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
 95        TargetFilename|contains:
 96            # - '\SystemRoot\System32\'
 97            - 'C:\$WINDOWS.~BT\'
 98            - 'C:\$WinREAgent\'
 99            - 'C:\Windows\SoftwareDistribution\'
100            - 'C:\Windows\System32\'
101            - 'C:\Windows\SysWOW64\'
102            - 'C:\Windows\WinSxS\'
103            - 'C:\Windows\uus\'
104    filter_main_svchost:
105        Image|endswith: 'C:\Windows\system32\svchost.exe'
106        TargetFilename|contains: 'C:\Program Files\WindowsApps\'
107    filter_main_wuauclt:
108        Image|endswith: 'C:\Windows\System32\wuauclt.exe'
109    filter_main_explorer:
110        TargetFilename|endswith: 'C:\Windows\explorer.exe'
111    filter_main_msiexec:
112        # This filter handles system processes who are updated/installed using misexec.
113        Image|endswith: 'C:\WINDOWS\system32\msiexec.exe'
114        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
115        TargetFilename|endswith:
116            - 'C:\Program Files\PowerShell\7\pwsh.exe'
117            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
118    filter_main_healtray:
119        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
120        TargetFilename|endswith: '\SecurityHealthSystray.exe'
121        Image|endswith: '\SecurityHealthSetup.exe'
122    condition: selection and not 1 of filter_main_*
123falsepositives:
124    - System processes copied outside their default folders for testing purposes
125    - Third party software naming their software with the same names as the processes mentioned here
126# Note: Upgrade to high after an initial baseline to your environement.
127level: medium

References

Related rules

to-top