System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Sigma rule (View on GitHub)
1title: System File Execution Location Anomaly
2id: e4a6b256-3e47-40fc-89d2-7a477edd6915
3related:
4 - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
5 type: derived
6status: test
7description: |
8 Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
9references:
10 - https://twitter.com/GelosSnake/status/934900723426439170
11 - https://asec.ahnlab.com/en/39828/
12 - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
13author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
14date: 2017-11-27
15modified: 2025-10-07
16tags:
17 - attack.defense-evasion
18 - attack.t1036
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 Image|endswith:
25 - '\atbroker.exe'
26 - '\audiodg.exe'
27 - '\bcdedit.exe'
28 - '\bitsadmin.exe'
29 - '\certreq.exe'
30 - '\certutil.exe'
31 - '\cmstp.exe'
32 - '\conhost.exe'
33 - '\consent.exe'
34 - '\cscript.exe'
35 - '\csrss.exe'
36 - '\dashost.exe'
37 - '\defrag.exe'
38 - '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
39 - '\dism.exe'
40 - '\dllhost.exe'
41 - '\dllhst3g.exe'
42 - '\dwm.exe'
43 - '\eventvwr.exe'
44 - '\logonui.exe'
45 - '\LsaIso.exe'
46 - '\lsass.exe'
47 - '\lsm.exe'
48 - '\msiexec.exe'
49 - '\ntoskrnl.exe'
50 - '\powershell_ise.exe'
51 - '\powershell.exe'
52 - '\pwsh.exe'
53 - '\regsvr32.exe'
54 - '\rundll32.exe'
55 - '\runonce.exe'
56 - '\RuntimeBroker.exe'
57 - '\schtasks.exe'
58 - '\services.exe'
59 - '\sihost.exe'
60 - '\smartscreen.exe'
61 - '\smss.exe'
62 - '\spoolsv.exe'
63 - '\svchost.exe'
64 - '\taskhost.exe'
65 - '\taskhostw.exe'
66 - '\Taskmgr.exe'
67 - '\userinit.exe'
68 - '\wininit.exe'
69 - '\winlogon.exe'
70 - '\winver.exe'
71 - '\wlanext.exe'
72 - '\wscript.exe'
73 - '\wsl.exe'
74 - '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
75 filter_main_generic:
76 Image|startswith:
77 - 'C:\$WINDOWS.~BT\'
78 - 'C:\$WinREAgent\'
79 - 'C:\Windows\SoftwareDistribution\'
80 - 'C:\Windows\System32\'
81 - 'C:\Windows\SystemTemp\'
82 - 'C:\Windows\SysWOW64\'
83 - 'C:\Windows\uus\'
84 - 'C:\Windows\WinSxS\'
85 filter_optional_system32:
86 Image|contains: '\SystemRoot\System32\'
87 filter_main_powershell:
88 Image|contains:
89 - 'C:\Program Files\PowerShell\7\'
90 - 'C:\Program Files\PowerShell\7-preview\'
91 - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
92 - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
93 Image|endswith: '\pwsh.exe'
94 filter_main_wsl_windowsapps:
95 Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
96 Image|endswith: '\wsl.exe'
97 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
98falsepositives:
99 - Unknown
100level: high
References
Related rules
- Windows Binaries Write Suspicious Extensions
- Potentially Suspicious Execution From Tmp Folder
- Explorer Process Tree Break
- Potential LSASS Process Dump Via Procdump
- Suspicious Child Process Of Wermgr.EXE