Files With System Process Name In Unsuspected Locations

Severity: medium
Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1036.005` Masquerading: Match Legitimate Resource Name or Location

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

or:
TargetFilename|endswith: '\AtBroker.exe'
TargetFilename|endswith: '\LogonUI.exe'
TargetFilename|endswith: '\LsaIso.exe'
TargetFilename|endswith: '\RuntimeBroker.exe'
TargetFilename|endswith: '\SearchFilterHost.exe'
TargetFilename|endswith: '\SearchIndexer.exe'
TargetFilename|endswith: '\SearchProtocolHost.exe'
TargetFilename|endswith: '\SecurityHealthService.exe'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
TargetFilename|endswith: '\ShellAppRuntime.exe'
TargetFilename|endswith: '\SystemSettingsBroker.exe'
TargetFilename|endswith: '\Taskmgr.exe'
TargetFilename|endswith: '\TiWorker.exe'
TargetFilename|endswith: '\WSReset.exe'
TargetFilename|endswith: '\WUDFHost.exe'
TargetFilename|endswith: '\WWAHost.exe'
TargetFilename|endswith: '\WerFault.exe'
TargetFilename|endswith: '\WerFaultSecure.exe'
TargetFilename|endswith: '\WinRTNetMUAHostServer.exe'
TargetFilename|endswith: '\WmiPrvSE.exe'
TargetFilename|endswith: '\audiodg.exe'
TargetFilename|endswith: '\backgroundTaskHost.exe'
TargetFilename|endswith: '\bcdedit.exe'
TargetFilename|endswith: '\bitsadmin.exe'
TargetFilename|endswith: '\cmdl32.exe'
TargetFilename|endswith: '\cmstp.exe'
TargetFilename|endswith: '\conhost.exe'
TargetFilename|endswith: '\csrss.exe'
TargetFilename|endswith: '\dasHost.exe'
TargetFilename|endswith: '\dfrgui.exe'
TargetFilename|endswith: '\dllhost.exe'
TargetFilename|endswith: '\dwm.exe'
TargetFilename|endswith: '\eventcreate.exe'
TargetFilename|endswith: '\eventvwr.exe'
TargetFilename|endswith: '\explorer.exe'
TargetFilename|endswith: '\extrac32.exe'
TargetFilename|endswith: '\fontdrvhost.exe'
TargetFilename|endswith: '\fsquirt.exe'
TargetFilename|endswith: '\ipconfig.exe'
TargetFilename|endswith: '\iscsicli.exe'
TargetFilename|endswith: '\iscsicpl.exe'
TargetFilename|endswith: '\logman.exe'
TargetFilename|endswith: '\lsass.exe'
TargetFilename|endswith: '\lsm.exe'
TargetFilename|endswith: '\msiexec.exe'
TargetFilename|endswith: '\msinfo32.exe'
TargetFilename|endswith: '\mstsc.exe'
TargetFilename|endswith: '\nbtstat.exe'
TargetFilename|endswith: '\odbcconf.exe'
TargetFilename|endswith: '\powershell.exe'
TargetFilename|endswith: '\pwsh.exe'
TargetFilename|endswith: '\regini.exe'
TargetFilename|endswith: '\regsvr32.exe'
TargetFilename|endswith: '\rundll32.exe'
TargetFilename|endswith: '\schtasks.exe'
TargetFilename|endswith: '\services.exe'
TargetFilename|endswith: '\sihost.exe'
TargetFilename|endswith: '\smartscreen.exe'
TargetFilename|endswith: '\smss.exe'
TargetFilename|endswith: '\spoolsv.exe'
TargetFilename|endswith: '\svchost.exe'
TargetFilename|endswith: '\taskhost.exe'
TargetFilename|endswith: '\taskhostw.exe'
TargetFilename|endswith: '\vssadmin.exe'
TargetFilename|endswith: '\w32tm.exe'
TargetFilename|endswith: '\wermgr.exe'
TargetFilename|endswith: '\wevtutil.exe'
TargetFilename|endswith: '\wininit.exe'
TargetFilename|endswith: '\winlogon.exe'
TargetFilename|endswith: '\winrshost.exe'
TargetFilename|endswith: '\wlanext.exe'
TargetFilename|endswith: '\wlrmdr.exe'
TargetFilename|endswith: '\wslhost.exe'

Stage 2: `not 1 of filter_main_*`

or:
or:
Image|endswith: 'C:\WINDOWS\SysWOW64\msiexec.exe'
Image|endswith: 'C:\WINDOWS\system32\msiexec.exe'
or:
TargetFilename|startswith: 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
TargetFilename|startswith: 'C:\Program Files\PowerShell\7\pwsh.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
or:
Image|endswith: 'C:\Windows\SysWOW64\svchost.exe'
Image|endswith: 'C:\Windows\system32\svchost.exe'
or:
TargetFilename|contains: 'C:\Program Files (x86)\WindowsApps\'
TargetFilename|contains: 'C:\Program Files\WindowsApps\'
TargetFilename|contains: '\AppData\Local\Microsoft\WindowsApps\'
or:
Image|endswith: '\TiWorker.exe'
Image|endswith: '\wuaucltcore.exe'
TargetFilename|startswith: 'C:\Windows\Temp\'
Image|endswith: '\SecurityHealthSetup.exe'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
Image: 'C:\Windows\SysWOW64\wuauclt.exe'
Image: 'C:\Windows\System32\wuauclt.exe'
Image: 'C:\Windows\UUS\arm64\wuaucltcore.exe'
TargetFilename|endswith: 'C:\Windows\explorer.exe'
TargetFilename|contains: 'C:\$WINDOWS.~BT\'
TargetFilename|contains: 'C:\$WinREAgent\'
TargetFilename|contains: 'C:\Windows\SoftwareDistribution\'
TargetFilename|contains: 'C:\Windows\SysWOW64\'
TargetFilename|contains: 'C:\Windows\System32\'
TargetFilename|contains: 'C:\Windows\WinSxS\'
TargetFilename|contains: 'C:\Windows\uus\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`C:\WINDOWS\SysWOW64\msiexec.exe` `C:\WINDOWS\system32\msiexec.exe` `C:\Windows\SysWOW64\svchost.exe` `C:\Windows\system32\svchost.exe` `\SecurityHealthSetup.exe` `\TiWorker.exe` corpus 7 (sigma 7) `\wuaucltcore.exe` corpus 2 (sigma 2)
`Image`	eq	`C:\Windows\SysWOW64\wuauclt.exe` `C:\Windows\System32\wuauclt.exe` corpus 3 (sigma 3) `C:\Windows\UUS\arm64\wuaucltcore.exe` corpus 2 (sigma 2)
`TargetFilename`	ends_with	`C:\Windows\explorer.exe` `\AtBroker.exe` `\LogonUI.exe` `\LsaIso.exe` `\RuntimeBroker.exe` `\SearchFilterHost.exe` `\SearchIndexer.exe` `\SearchProtocolHost.exe` `\SecurityHealthService.exe` `\SecurityHealthSystray.exe` `\ShellAppRuntime.exe` `\SystemSettingsBroker.exe` `\Taskmgr.exe` `\TiWorker.exe` `\WSReset.exe` `\WUDFHost.exe` `\WWAHost.exe` `\WerFault.exe` corpus 2 (sigma 2) `\WerFaultSecure.exe` `\WinRTNetMUAHostServer.exe` `\WmiPrvSE.exe` `\audiodg.exe` `\backgroundTaskHost.exe` `\bcdedit.exe` `\bitsadmin.exe` `\cmdl32.exe` `\cmstp.exe` `\conhost.exe` `\csrss.exe` `\dasHost.exe` `\dfrgui.exe` `\dllhost.exe` `\dwm.exe` `\eventcreate.exe` `\eventvwr.exe` `\explorer.exe` `\extrac32.exe` `\fontdrvhost.exe` `\fsquirt.exe` `\ipconfig.exe` `\iscsicli.exe` `\iscsicpl.exe` `\logman.exe` `\lsass.exe` `\lsm.exe` `\msiexec.exe` `\msinfo32.exe` `\mstsc.exe` `\nbtstat.exe` `\odbcconf.exe` `\powershell.exe` `\pwsh.exe` `\regini.exe` `\regsvr32.exe` `\rundll32.exe` `\schtasks.exe` `\services.exe` `\sihost.exe` `\smartscreen.exe` `\smss.exe` `\spoolsv.exe` `\svchost.exe` `\taskhost.exe` `\taskhostw.exe` `\vssadmin.exe` `\w32tm.exe` `\wermgr.exe` `\wevtutil.exe` `\wininit.exe` `\winlogon.exe` `\winrshost.exe` `\wlanext.exe` `\wlrmdr.exe` `\wslhost.exe`
`TargetFilename`	match	`C:\$WINDOWS.~BT\` corpus 2 (sigma 2) `C:\$WinREAgent\` corpus 2 (sigma 2) `C:\Program Files (x86)\WindowsApps\` `C:\Program Files\WindowsApps\` `C:\Windows\SoftwareDistribution\` corpus 2 (sigma 2) `C:\Windows\SysWOW64\` corpus 2 (sigma 2) `C:\Windows\System32\` corpus 2 (sigma 2) `C:\Windows\System32\SecurityHealth\` `C:\Windows\WinSxS\` corpus 2 (sigma 2) `C:\Windows\uus\` corpus 2 (sigma 2) `\AppData\Local\Microsoft\WindowsApps\`
`TargetFilename`	starts_with	`C:\Program Files\PowerShell\7-preview\pwsh.exe` `C:\Program Files\PowerShell\7\pwsh.exe` `C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\` `C:\Windows\Temp\` corpus 4 (sigma 4)