System File Execution Location Anomaly

calendar Feb 28, 2026 · attack.defense-evasion attack.t1036  ·
Share on: linkedin copy

Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.

Sigma rule (View on GitHub)

  1title: System File Execution Location Anomaly
  2id: e4a6b256-3e47-40fc-89d2-7a477edd6915
  3related:
  4    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
  5      type: derived
  6status: test
  7description: |
  8        Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
  9references:
 10    - https://twitter.com/GelosSnake/status/934900723426439170
 11    - https://asec.ahnlab.com/en/39828/
 12    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
 13author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 14date: 2017-11-27
 15modified: 2026-02-12
 16tags:
 17    - attack.defense-evasion
 18    - attack.t1036
 19logsource:
 20    category: process_creation
 21    product: windows
 22detection:
 23    selection:
 24        Image|endswith:
 25            - '\atbroker.exe'
 26            - '\audiodg.exe'
 27            - '\bcdedit.exe'
 28            - '\bitsadmin.exe'
 29            - '\certreq.exe'
 30            - '\certutil.exe'
 31            - '\cmstp.exe'
 32            - '\conhost.exe'
 33            - '\consent.exe'
 34            - '\cscript.exe'
 35            - '\csrss.exe'
 36            - '\dashost.exe'
 37            - '\defrag.exe'
 38            - '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
 39            - '\dism.exe'
 40            - '\dllhost.exe'
 41            - '\dllhst3g.exe'
 42            - '\dwm.exe'
 43            - '\eventvwr.exe'
 44            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
 45            - '\finger.exe'
 46            - '\logonui.exe'
 47            - '\LsaIso.exe'
 48            - '\lsass.exe'
 49            - '\lsm.exe'
 50            - '\msiexec.exe'
 51            - '\ntoskrnl.exe'
 52            - '\powershell_ise.exe'
 53            - '\powershell.exe'
 54            - '\pwsh.exe'
 55            - '\regsvr32.exe'
 56            - '\rundll32.exe'
 57            - '\runonce.exe'
 58            - '\RuntimeBroker.exe'
 59            - '\schtasks.exe'
 60            - '\services.exe'
 61            - '\sihost.exe'
 62            - '\smartscreen.exe'
 63            - '\smss.exe'
 64            - '\spoolsv.exe'
 65            - '\svchost.exe'
 66            - '\taskhost.exe'
 67            - '\taskhostw.exe'
 68            - '\Taskmgr.exe'
 69            - '\userinit.exe'
 70            - '\werfault.exe'
 71            - '\werfaultsecure.exe'
 72            - '\wininit.exe'
 73            - '\winlogon.exe'
 74            - '\winver.exe'
 75            - '\wlanext.exe'
 76            - '\wscript.exe'
 77            - '\wsl.exe'
 78            - '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
 79    filter_main_generic:
 80        Image|startswith:
 81            - 'C:\$WINDOWS.~BT\'
 82            - 'C:\$WinREAgent\'
 83            - 'C:\Windows\SoftwareDistribution\'
 84            - 'C:\Windows\System32\'
 85            - 'C:\Windows\SystemTemp\'
 86            - 'C:\Windows\SysWOW64\'
 87            - 'C:\Windows\uus\'
 88            - 'C:\Windows\WinSxS\'
 89    filter_optional_system32:
 90        Image|contains: '\SystemRoot\System32\'
 91    filter_main_powershell:
 92        Image|contains:
 93            - 'C:\Program Files\PowerShell\7\'
 94            - 'C:\Program Files\PowerShell\7-preview\'
 95            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
 96            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
 97        Image|endswith: '\pwsh.exe'
 98    filter_main_wsl_programfiles:
 99        Image|startswith:
100            - 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
101            - 'C:\Program Files\WSL\'
102        Image|endswith: '\wsl.exe'
103    filter_main_wsl_appdata:
104        Image|startswith: C:\Users\'
105        Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
106        Image|endswith: '\wsl.exe'
107    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
108falsepositives:
109    - Unknown
110level: high
111regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml

References

Related rules

to-top