System File Execution Location Anomaly

Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.

Sigma rule (View on GitHub)

  1title: System File Execution Location Anomaly
  2id: e4a6b256-3e47-40fc-89d2-7a477edd6915
  3related:
  4    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
  5      type: derived
  6status: test
  7description: |
  8        Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
  9references:
 10    - https://twitter.com/GelosSnake/status/934900723426439170
 11    - https://asec.ahnlab.com/en/39828/
 12    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
 13author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 14date: 2017-11-27
 15modified: 2025-10-07
 16tags:
 17    - attack.defense-evasion
 18    - attack.t1036
 19logsource:
 20    category: process_creation
 21    product: windows
 22detection:
 23    selection:
 24        Image|endswith:
 25            - '\atbroker.exe'
 26            - '\audiodg.exe'
 27            - '\bcdedit.exe'
 28            - '\bitsadmin.exe'
 29            - '\certreq.exe'
 30            - '\certutil.exe'
 31            - '\cmstp.exe'
 32            - '\conhost.exe'
 33            - '\consent.exe'
 34            - '\cscript.exe'
 35            - '\csrss.exe'
 36            - '\dashost.exe'
 37            - '\defrag.exe'
 38            - '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
 39            - '\dism.exe'
 40            - '\dllhost.exe'
 41            - '\dllhst3g.exe'
 42            - '\dwm.exe'
 43            - '\eventvwr.exe'
 44            - '\logonui.exe'
 45            - '\LsaIso.exe'
 46            - '\lsass.exe'
 47            - '\lsm.exe'
 48            - '\msiexec.exe'
 49            - '\ntoskrnl.exe'
 50            - '\powershell_ise.exe'
 51            - '\powershell.exe'
 52            - '\pwsh.exe'
 53            - '\regsvr32.exe'
 54            - '\rundll32.exe'
 55            - '\runonce.exe'
 56            - '\RuntimeBroker.exe'
 57            - '\schtasks.exe'
 58            - '\services.exe'
 59            - '\sihost.exe'
 60            - '\smartscreen.exe'
 61            - '\smss.exe'
 62            - '\spoolsv.exe'
 63            - '\svchost.exe'
 64            - '\taskhost.exe'
 65            - '\taskhostw.exe'
 66            - '\Taskmgr.exe'
 67            - '\userinit.exe'
 68            - '\wininit.exe'
 69            - '\winlogon.exe'
 70            - '\winver.exe'
 71            - '\wlanext.exe'
 72            - '\wscript.exe'
 73            - '\wsl.exe'
 74            - '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
 75    filter_main_generic:
 76        Image|startswith:
 77            - 'C:\$WINDOWS.~BT\'
 78            - 'C:\$WinREAgent\'
 79            - 'C:\Windows\SoftwareDistribution\'
 80            - 'C:\Windows\System32\'
 81            - 'C:\Windows\SystemTemp\'
 82            - 'C:\Windows\SysWOW64\'
 83            - 'C:\Windows\uus\'
 84            - 'C:\Windows\WinSxS\'
 85    filter_optional_system32:
 86        Image|contains: '\SystemRoot\System32\'
 87    filter_main_powershell:
 88        Image|contains:
 89            - 'C:\Program Files\PowerShell\7\'
 90            - 'C:\Program Files\PowerShell\7-preview\'
 91            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
 92            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
 93        Image|endswith: '\pwsh.exe'
 94    filter_main_wsl_windowsapps:
 95        Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
 96        Image|endswith: '\wsl.exe'
 97    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 98falsepositives:
 99    - Unknown
100level: high

References

Related rules

to-top