Suspicious Process Start Locations

Detects suspicious process run from unusual locations

Sigma rule (View on GitHub)

 1title: Suspicious Process Start Locations
 2id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
 3status: test
 4description: Detects suspicious process run from unusual locations
 5references:
 6    - https://car.mitre.org/wiki/CAR-2013-05-002
 7author: juju4, Jonhnathan Ribeiro, oscd.community
 8date: 2019/01/16
 9modified: 2022/01/07
10tags:
11    - attack.defense_evasion
12    - attack.t1036
13    - car.2013-05-002
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Image|contains:
20              - ':\RECYCLER\'
21              - ':\SystemVolumeInformation\'
22        - Image|startswith:
23              - 'C:\Windows\Tasks\'
24              - 'C:\Windows\debug\'
25              - 'C:\Windows\fonts\'
26              - 'C:\Windows\help\'
27              - 'C:\Windows\drivers\'
28              - 'C:\Windows\addins\'
29              - 'C:\Windows\cursors\'
30              - 'C:\Windows\system32\tasks\'
31    condition: selection
32falsepositives:
33    - False positives depend on scripts and administrative tools used in the monitored environment
34level: medium

References

Related rules

to-top