Suspicious Service Binary Directory

Feb 1, 2023 · attack.defense_evasion attack.t1202 ·

Detects a service binary running in a suspicious directory

Sigma rule (View on GitHub)

 1title: Suspicious Service Binary Directory
 2id: 883faa95-175a-4e22-8181-e5761aeb373c
 3status: test
 4description: Detects a service binary running in a suspicious directory
 5references:
 6    - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
 7author: Florian Roth (Nextron Systems)
 8date: 2021/03/09
 9modified: 2022/10/09
10tags:
11    - attack.defense_evasion
12    - attack.t1202
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|contains:
19            - '\Users\Public\'
20            - '\$Recycle.bin'
21            - '\Users\All Users\'
22            - '\Users\Default\'
23            - '\Users\Contacts\'
24            - '\Users\Searches\'
25            - 'C:\Perflogs\'
26            - '\config\systemprofile\'
27            - '\Windows\Fonts\'
28            - '\Windows\IME\'
29            - '\Windows\addins\'
30        ParentImage|endswith:
31            - '\services.exe'
32            - '\svchost.exe'
33    condition: selection
34falsepositives:
35    - Unknown
36level: high

References

https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/

Read More

Suspicious Service Binary Directory

Sigma rule (View on GitHub)

References

https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/

Related rules