System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Sigma rule (View on GitHub)
1title: System File Execution Location Anomaly
2id: e4a6b256-3e47-40fc-89d2-7a477edd6915
3related:
4 - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
5 type: derived
6status: experimental
7description: |
8 Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
9references:
10 - https://twitter.com/GelosSnake/status/934900723426439170
11 - https://asec.ahnlab.com/en/39828/
12author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
13date: 2017-11-27
14modified: 2024-07-16
15tags:
16 - attack.defense-evasion
17 - attack.t1036
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Image|endswith:
24 - '\atbroker.exe'
25 - '\audiodg.exe'
26 - '\bcdedit.exe'
27 - '\bitsadmin.exe'
28 - '\certreq.exe'
29 - '\certutil.exe'
30 - '\cmstp.exe'
31 - '\conhost.exe'
32 - '\consent.exe'
33 - '\cscript.exe'
34 - '\csrss.exe'
35 - '\dashost.exe'
36 - '\defrag.exe'
37 - '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
38 - '\dism.exe'
39 - '\dllhost.exe'
40 - '\dllhst3g.exe'
41 - '\dwm.exe'
42 - '\eventvwr.exe'
43 - '\logonui.exe'
44 - '\LsaIso.exe'
45 - '\lsass.exe'
46 - '\lsm.exe'
47 - '\msiexec.exe'
48 - '\ntoskrnl.exe'
49 - '\powershell_ise.exe'
50 - '\powershell.exe'
51 - '\pwsh.exe'
52 - '\regsvr32.exe'
53 - '\rundll32.exe'
54 - '\runonce.exe'
55 - '\RuntimeBroker.exe'
56 - '\schtasks.exe'
57 - '\services.exe'
58 - '\sihost.exe'
59 - '\smartscreen.exe'
60 - '\smss.exe'
61 - '\spoolsv.exe'
62 - '\svchost.exe'
63 - '\taskhost.exe'
64 - '\Taskmgr.exe'
65 - '\userinit.exe'
66 - '\wininit.exe'
67 - '\winlogon.exe'
68 - '\winver.exe'
69 - '\wlanext.exe'
70 - '\wscript.exe'
71 - '\wsl.exe'
72 - '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
73 filter_main_generic:
74 Image|startswith:
75 - 'C:\$WINDOWS.~BT\'
76 - 'C:\$WinREAgent\'
77 - 'C:\Windows\SoftwareDistribution\'
78 - 'C:\Windows\System32\'
79 - 'C:\Windows\SystemTemp\'
80 - 'C:\Windows\SysWOW64\'
81 - 'C:\Windows\uus\'
82 - 'C:\Windows\WinSxS\'
83 filter_optional_system32:
84 Image|contains: '\SystemRoot\System32\'
85 filter_main_powershell:
86 Image:
87 - 'C:\Program Files\PowerShell\7\pwsh.exe'
88 - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
89 filter_main_wsl_windowsapps:
90 Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
91 Image|endswith: '\wsl.exe'
92 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
93falsepositives:
94 - Unknown
95level: high
References
-
While tracking the Lazarus attack group, the ASEC analysis team discovered that the attackers were using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process. https://attack.mitre.org/techniques/T1574/002/ The DLL Side-Loading attack technique saves a legitimate application and a malicious DLL in […]
Read More
Related rules
- CodePage Modification Via MODE.COM To Russian Language
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File