Suspicious Process Start Locations
Detects suspicious process run from unusual locations
Sigma rule (View on GitHub)
1title: Suspicious Process Start Locations
2id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
3status: test
4description: Detects suspicious process run from unusual locations
5references:
6 - https://car.mitre.org/wiki/CAR-2013-05-002
7author: juju4, Jonhnathan Ribeiro, oscd.community
8date: 2019-01-16
9modified: 2022-01-07
10tags:
11 - attack.defense-evasion
12 - attack.t1036
13 - car.2013-05-002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|contains:
20 - ':\RECYCLER\'
21 - ':\SystemVolumeInformation\'
22 - Image|startswith:
23 - 'C:\Windows\Tasks\'
24 - 'C:\Windows\debug\'
25 - 'C:\Windows\fonts\'
26 - 'C:\Windows\help\'
27 - 'C:\Windows\drivers\'
28 - 'C:\Windows\addins\'
29 - 'C:\Windows\cursors\'
30 - 'C:\Windows\system32\tasks\'
31 condition: selection
32falsepositives:
33 - False positives depend on scripts and administrative tools used in the monitored environment
34level: medium
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution