System File Execution Location Anomaly
Detects a Windows program executable started from a suspicious folder
Sigma rule (View on GitHub)
1title: System File Execution Location Anomaly
2id: e4a6b256-3e47-40fc-89d2-7a477edd6915
3status: experimental
4description: Detects a Windows program executable started from a suspicious folder
5references:
6 - https://twitter.com/GelosSnake/status/934900723426439170
7 - https://asec.ahnlab.com/en/39828/
8author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali
9date: 2017/11/27
10modified: 2023/10/18
11tags:
12 - attack.defense_evasion
13 - attack.t1036
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith:
20 - '\svchost.exe'
21 - '\rundll32.exe'
22 - '\services.exe'
23 - '\powershell.exe'
24 - '\powershell_ise.exe'
25 - '\pwsh.exe'
26 - '\regsvr32.exe'
27 - '\spoolsv.exe'
28 - '\lsass.exe'
29 - '\smss.exe'
30 - '\csrss.exe'
31 - '\conhost.exe'
32 - '\wininit.exe'
33 - '\lsm.exe'
34 - '\winlogon.exe'
35 - '\explorer.exe'
36 - '\taskhost.exe'
37 - '\Taskmgr.exe'
38 - '\sihost.exe'
39 - '\RuntimeBroker.exe'
40 - '\smartscreen.exe'
41 - '\dllhost.exe'
42 - '\audiodg.exe'
43 - '\wlanext.exe'
44 - '\dashost.exe'
45 - '\schtasks.exe'
46 - '\cscript.exe'
47 - '\wscript.exe'
48 - '\wsl.exe'
49 - '\bitsadmin.exe'
50 - '\atbroker.exe'
51 - '\bcdedit.exe'
52 - '\certutil.exe'
53 - '\certreq.exe'
54 - '\cmstp.exe'
55 - '\consent.exe'
56 - '\defrag.exe'
57 - '\dism.exe'
58 - '\dllhst3g.exe'
59 - '\eventvwr.exe'
60 - '\msiexec.exe'
61 - '\runonce.exe'
62 - '\winver.exe'
63 - '\logonui.exe'
64 - '\userinit.exe'
65 - '\dwm.exe'
66 - '\LsaIso.exe'
67 - '\ntoskrnl.exe'
68 # The below processes were seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
69 - '\wsmprovhost.exe'
70 - '\dfrgui.exe'
71 filter_generic:
72 - Image|startswith:
73 - 'C:\Windows\System32\'
74 - 'C:\Windows\SysWOW64\'
75 - 'C:\Windows\WinSxS\'
76 # - 'C:\avast! sandbox'
77 - Image|contains: '\SystemRoot\System32\'
78 - Image:
79 - 'C:\Windows\explorer.exe'
80 - 'C:\Program Files\PowerShell\7\pwsh.exe'
81 - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
82 filter_wsl_windowsapps:
83 Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
84 Image|endswith: '\wsl.exe'
85 condition: selection and not 1 of filter_*
86fields:
87 - ComputerName
88 - User
89 - Image
90falsepositives:
91 - Exotic software
92level: high
References
-
-
While tracking the Lazarus attack group, the ASEC analysis team discovered that the attackers were using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process. https://attack.mitre.org/techniques/T1574/002/ The DLL Side-Loading attack technique saves a legitimate application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. In other words, it is a malware execution technique that allows the malicious DLL to be executed first by changing its name to the filename of the normal DLL located in a different path that the legitimate program refers to. The list of legitimate processes abused by...
Read More
Related rules
- Explorer Process Tree Break
- HackTool - XORDump Execution
- Process Memory Dump Via Comsvcs.DLL
- Suspicious Process Start Locations
- CreateDump Process Dump