Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).

Sigma rule (View on GitHub)

  1title: Files With System Process Name In Unsuspected Locations
  2id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
  3status: test
  4description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
  5author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali
  6date: 2020/05/26
  7modified: 2023/03/23
  8tags:
  9    - attack.defense_evasion
 10    - attack.t1036.005
 11logsource:
 12    category: file_event
 13    product: windows
 14detection:
 15    selection:
 16        TargetFilename|endswith:
 17            - '\AtBroker.exe'
 18            - '\audiodg.exe'
 19            - '\backgroundTaskHost.exe'
 20            - '\bcdedit.exe'
 21            - '\bitsadmin.exe'
 22            - '\cmdl32.exe'
 23            - '\cmstp.exe'
 24            - '\conhost.exe'
 25            - '\csrss.exe'
 26            - '\dasHost.exe'
 27            - '\dfrgui.exe'
 28            - '\dllhost.exe'
 29            - '\dwm.exe'
 30            - '\eventcreate.exe'
 31            - '\eventvwr.exe'
 32            - '\explorer.exe'
 33            - '\extrac32.exe'
 34            - '\fontdrvhost.exe'
 35            - '\ipconfig.exe'
 36            - '\iscsicli.exe'
 37            - '\iscsicpl.exe'
 38            - '\logman.exe'
 39            - '\LogonUI.exe'
 40            - '\LsaIso.exe'
 41            - '\lsass.exe'
 42            - '\lsm.exe'
 43            - '\msiexec.exe'
 44            - '\msinfo32.exe'
 45            - '\mstsc.exe'
 46            - '\nbtstat.exe'
 47            - '\odbcconf.exe'
 48            - '\powershell.exe'
 49            - '\pwsh.exe'
 50            - '\regini.exe'
 51            - '\regsvr32.exe'
 52            - '\rundll32.exe'
 53            - '\RuntimeBroker.exe'
 54            - '\schtasks.exe'
 55            - '\SearchFilterHost.exe'
 56            - '\SearchIndexer.exe'
 57            - '\SearchProtocolHost.exe'
 58            - '\SecurityHealthService.exe'
 59            - '\SecurityHealthSystray.exe'
 60            - '\services.exe'
 61            - '\ShellAppRuntime.exe'
 62            - '\sihost.exe'
 63            - '\smartscreen.exe'
 64            - '\smss.exe'
 65            - '\spoolsv.exe'
 66            - '\svchost.exe'
 67            - '\SystemSettingsBroker.exe'
 68            - '\taskhost.exe'
 69            - '\taskhostw.exe'
 70            - '\Taskmgr.exe'
 71            - '\TiWorker.exe'
 72            - '\vssadmin.exe'
 73            - '\w32tm.exe'
 74            - '\WerFault.exe'
 75            - '\WerFaultSecure.exe'
 76            - '\wermgr.exe'
 77            - '\wevtutil.exe'
 78            - '\wininit.exe'
 79            - '\winlogon.exe'
 80            - '\winrshost.exe'
 81            - '\WinRTNetMUAHostServer.exe'
 82            - '\wlanext.exe'
 83            - '\wlrmdr.exe'
 84            - '\WmiPrvSE.exe'
 85            - '\wslhost.exe'
 86            - '\WSReset.exe'
 87            - '\WUDFHost.exe'
 88            - '\WWAHost.exe'
 89    filter1:
 90        TargetFilename|startswith:
 91            - 'C:\Windows\System32\'
 92            - 'C:\Windows\SysWOW64\'
 93            - 'C:\Windows\WinSxS\'
 94            - 'C:\Windows\SoftwareDistribution\'
 95            - '\SystemRoot\System32\'
 96        Image|endswith:
 97            - '\Windows\System32\dism.exe'
 98            - '\TiWorker.exe'
 99    filter2:
100        TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
101        Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'
102    filter3:
103        TargetFilename|endswith: '\RuntimeBroker.exe'
104        Image: 'C:\Windows\system32\wbengine.exe'
105    filter4:
106        Image|endswith: ':\Windows\system32\svchost.exe'
107        TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\'
108        TargetFilename|endswith:
109            - '\spoolsv.exe'
110            - '\bcdedit.exe'
111    filter5:
112        Image|endswith: ':\Windows\system32\svchost.exe'
113        TargetFilename|startswith: 'C:Program Files\WindowsApps\'
114    filter6:
115        Image: C:\Windows\System32\wuauclt.exe
116    filter7:
117        TargetFilename: 'C:\Windows\explorer.exe'
118    filter8:
119        # This filter handles system processes who are updated/installed using misexec.
120        Image: C:\WINDOWS\system32\msiexec.exe
121        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
122        TargetFilename: C:\Program Files\PowerShell\7\pwsh.exe
123    filter_healtray:
124        TargetFilename|startswith: 'C:\Windows\System32\SecurityHealth\'
125        TargetFilename|endswith: '\SecurityHealthSystray.exe'
126        Image|endswith: '\SecurityHealthSetup.exe'
127    condition: selection and not 1 of filter*
128fields:
129    - Image
130falsepositives:
131    - System processes copied outside their default folders for testing purposes
132    - Third party software naming their software with the same names as the processes mentioned here
133level: high

Related rules

to-top