Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
Sigma rule (View on GitHub)
1title: Files With System Process Name In Unsuspected Locations
2id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
3status: test
4description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
5author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali
6date: 2020/05/26
7modified: 2023/03/23
8tags:
9 - attack.defense_evasion
10 - attack.t1036.005
11logsource:
12 category: file_event
13 product: windows
14detection:
15 selection:
16 TargetFilename|endswith:
17 - '\AtBroker.exe'
18 - '\audiodg.exe'
19 - '\backgroundTaskHost.exe'
20 - '\bcdedit.exe'
21 - '\bitsadmin.exe'
22 - '\cmdl32.exe'
23 - '\cmstp.exe'
24 - '\conhost.exe'
25 - '\csrss.exe'
26 - '\dasHost.exe'
27 - '\dfrgui.exe'
28 - '\dllhost.exe'
29 - '\dwm.exe'
30 - '\eventcreate.exe'
31 - '\eventvwr.exe'
32 - '\explorer.exe'
33 - '\extrac32.exe'
34 - '\fontdrvhost.exe'
35 - '\ipconfig.exe'
36 - '\iscsicli.exe'
37 - '\iscsicpl.exe'
38 - '\logman.exe'
39 - '\LogonUI.exe'
40 - '\LsaIso.exe'
41 - '\lsass.exe'
42 - '\lsm.exe'
43 - '\msiexec.exe'
44 - '\msinfo32.exe'
45 - '\mstsc.exe'
46 - '\nbtstat.exe'
47 - '\odbcconf.exe'
48 - '\powershell.exe'
49 - '\pwsh.exe'
50 - '\regini.exe'
51 - '\regsvr32.exe'
52 - '\rundll32.exe'
53 - '\RuntimeBroker.exe'
54 - '\schtasks.exe'
55 - '\SearchFilterHost.exe'
56 - '\SearchIndexer.exe'
57 - '\SearchProtocolHost.exe'
58 - '\SecurityHealthService.exe'
59 - '\SecurityHealthSystray.exe'
60 - '\services.exe'
61 - '\ShellAppRuntime.exe'
62 - '\sihost.exe'
63 - '\smartscreen.exe'
64 - '\smss.exe'
65 - '\spoolsv.exe'
66 - '\svchost.exe'
67 - '\SystemSettingsBroker.exe'
68 - '\taskhost.exe'
69 - '\taskhostw.exe'
70 - '\Taskmgr.exe'
71 - '\TiWorker.exe'
72 - '\vssadmin.exe'
73 - '\w32tm.exe'
74 - '\WerFault.exe'
75 - '\WerFaultSecure.exe'
76 - '\wermgr.exe'
77 - '\wevtutil.exe'
78 - '\wininit.exe'
79 - '\winlogon.exe'
80 - '\winrshost.exe'
81 - '\WinRTNetMUAHostServer.exe'
82 - '\wlanext.exe'
83 - '\wlrmdr.exe'
84 - '\WmiPrvSE.exe'
85 - '\wslhost.exe'
86 - '\WSReset.exe'
87 - '\WUDFHost.exe'
88 - '\WWAHost.exe'
89 filter1:
90 TargetFilename|startswith:
91 - 'C:\Windows\System32\'
92 - 'C:\Windows\SysWOW64\'
93 - 'C:\Windows\WinSxS\'
94 - 'C:\Windows\SoftwareDistribution\'
95 - '\SystemRoot\System32\'
96 Image|endswith:
97 - '\Windows\System32\dism.exe'
98 - '\TiWorker.exe'
99 filter2:
100 TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
101 Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'
102 filter3:
103 TargetFilename|endswith: '\RuntimeBroker.exe'
104 Image: 'C:\Windows\system32\wbengine.exe'
105 filter4:
106 Image|endswith: ':\Windows\system32\svchost.exe'
107 TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\'
108 TargetFilename|endswith:
109 - '\spoolsv.exe'
110 - '\bcdedit.exe'
111 filter5:
112 Image|endswith: ':\Windows\system32\svchost.exe'
113 TargetFilename|startswith: 'C:Program Files\WindowsApps\'
114 filter6:
115 Image: C:\Windows\System32\wuauclt.exe
116 filter7:
117 TargetFilename: 'C:\Windows\explorer.exe'
118 filter8:
119 # This filter handles system processes who are updated/installed using misexec.
120 Image: C:\WINDOWS\system32\msiexec.exe
121 # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
122 TargetFilename: C:\Program Files\PowerShell\7\pwsh.exe
123 filter_healtray:
124 TargetFilename|startswith: 'C:\Windows\System32\SecurityHealth\'
125 TargetFilename|endswith: '\SecurityHealthSystray.exe'
126 Image|endswith: '\SecurityHealthSetup.exe'
127 condition: selection and not 1 of filter*
128fields:
129 - Image
130falsepositives:
131 - System processes copied outside their default folders for testing purposes
132 - Third party software naming their software with the same names as the processes mentioned here
133level: high