Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).

Sigma rule (View on GitHub)

  1title: Files With System Process Name In Unsuspected Locations
  2id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
  3status: test
  4description: |
  5        Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
  6references:
  7    - Internal Research
  8author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
  9date: 2020/05/26
 10modified: 2023/11/10
 11tags:
 12    - attack.defense_evasion
 13    - attack.t1036.005
 14logsource:
 15    category: file_event
 16    product: windows
 17detection:
 18    selection:
 19        TargetFilename|endswith:
 20            - '\AtBroker.exe'
 21            - '\audiodg.exe'
 22            - '\backgroundTaskHost.exe'
 23            - '\bcdedit.exe'
 24            - '\bitsadmin.exe'
 25            - '\cmdl32.exe'
 26            - '\cmstp.exe'
 27            - '\conhost.exe'
 28            - '\csrss.exe'
 29            - '\dasHost.exe'
 30            - '\dfrgui.exe'
 31            - '\dllhost.exe'
 32            - '\dwm.exe'
 33            - '\eventcreate.exe'
 34            - '\eventvwr.exe'
 35            - '\explorer.exe'
 36            - '\extrac32.exe'
 37            - '\fontdrvhost.exe'
 38            - '\ipconfig.exe'
 39            - '\iscsicli.exe'
 40            - '\iscsicpl.exe'
 41            - '\logman.exe'
 42            - '\LogonUI.exe'
 43            - '\LsaIso.exe'
 44            - '\lsass.exe'
 45            - '\lsm.exe'
 46            - '\msiexec.exe'
 47            - '\msinfo32.exe'
 48            - '\mstsc.exe'
 49            - '\nbtstat.exe'
 50            - '\odbcconf.exe'
 51            - '\powershell.exe'
 52            - '\pwsh.exe'
 53            - '\regini.exe'
 54            - '\regsvr32.exe'
 55            - '\rundll32.exe'
 56            - '\RuntimeBroker.exe'
 57            - '\schtasks.exe'
 58            - '\SearchFilterHost.exe'
 59            - '\SearchIndexer.exe'
 60            - '\SearchProtocolHost.exe'
 61            - '\SecurityHealthService.exe'
 62            - '\SecurityHealthSystray.exe'
 63            - '\services.exe'
 64            - '\ShellAppRuntime.exe'
 65            - '\sihost.exe'
 66            - '\smartscreen.exe'
 67            - '\smss.exe'
 68            - '\spoolsv.exe'
 69            - '\svchost.exe'
 70            - '\SystemSettingsBroker.exe'
 71            - '\taskhost.exe'
 72            - '\taskhostw.exe'
 73            - '\Taskmgr.exe'
 74            - '\TiWorker.exe'
 75            - '\vssadmin.exe'
 76            - '\w32tm.exe'
 77            - '\WerFault.exe'
 78            - '\WerFaultSecure.exe'
 79            - '\wermgr.exe'
 80            - '\wevtutil.exe'
 81            - '\wininit.exe'
 82            - '\winlogon.exe'
 83            - '\winrshost.exe'
 84            - '\WinRTNetMUAHostServer.exe'
 85            - '\wlanext.exe'
 86            - '\wlrmdr.exe'
 87            - '\WmiPrvSE.exe'
 88            - '\wslhost.exe'
 89            - '\WSReset.exe'
 90            - '\WUDFHost.exe'
 91            - '\WWAHost.exe'
 92    filter_main_dism_tiworker:
 93        TargetFilename|contains:
 94            - ':\Windows\SoftwareDistribution\'
 95            - ':\Windows\System32\'
 96            - ':\Windows\SysWOW64\'
 97            - ':\Windows\WinSxS\'
 98            - '\SystemRoot\System32\'
 99        Image|endswith:
100            - '\Windows\System32\dism.exe'
101            - '\TiWorker.exe'
102    filter_main_setuphost:
103        TargetFilename|contains: ':\$WINDOWS.~BT\'
104        Image|endswith: ':\$WINDOWS.~BT\Sources\SetupHost.exe'
105    filter_main_wbengine:
106        TargetFilename|endswith: '\RuntimeBroker.exe'
107        Image|endswith: ':\Windows\system32\wbengine.exe'
108    filter_main_svchost:
109        Image|endswith: ':\Windows\system32\svchost.exe'
110        TargetFilename|contains:
111            - ':\Windows\SoftwareDistribution\Download\'
112            - ':\Program Files\WindowsApps\'
113    filter_main_wuauclt:
114        Image|endswith: ':\Windows\System32\wuauclt.exe'
115    filter_main_explorer:
116        TargetFilename|endswith: ':\Windows\explorer.exe'
117    filter_main_msiexec:
118        # This filter handles system processes who are updated/installed using misexec.
119        Image|endswith: ':\WINDOWS\system32\msiexec.exe'
120        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
121        TargetFilename|endswith:
122            - ':\Program Files\PowerShell\7\pwsh.exe'
123            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
124    filter_main_healtray:
125        TargetFilename|contains: ':\Windows\System32\SecurityHealth\'
126        TargetFilename|endswith: '\SecurityHealthSystray.exe'
127        Image|endswith: '\SecurityHealthSetup.exe'
128    filter_main_wuaucltcore:
129        Image|contains: ':\Windows\uus\'
130        Image|endswith: '\wuaucltcore.exe'
131        TargetFilename|contains: ':\$WinREAgent\'
132    condition: selection and not 1 of filter_main_*
133falsepositives:
134    - System processes copied outside their default folders for testing purposes
135    - Third party software naming their software with the same names as the processes mentioned here
136level: high

References

Related rules

to-top