detection.wiki

Detection rules › Sigma

Suspicious Service Binary Directory

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects a service binary running in a suspicious directory

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1202 Indirect Command Execution

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
Image|contains: 'C:\Perflogs\'
Image|contains: '\$Recycle.bin'
Image|contains: '\Users\All Users\'
Image|contains: '\Users\Contacts\'
Image|contains: '\Users\Default\'
Image|contains: '\Users\Public\'
Image|contains: '\Users\Searches\'
Image|contains: '\Windows\Fonts\'
Image|contains: '\Windows\IME\'
Image|contains: '\Windows\addins\'
Image|contains: '\config\systemprofile\'
or:
ParentImage|endswith: '\services.exe'
ParentImage|endswith: '\svchost.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imagematch
  • C:\Perflogs\
  • \$Recycle.bin corpus 2 (sigma 2)
  • \Users\All Users\
  • \Users\Contacts\ corpus 2 (sigma 2)
  • \Users\Default\ corpus 4 (sigma 4)
  • \Users\Public\ corpus 8 (sigma 8)
  • \Users\Searches\ corpus 2 (sigma 2)
  • \Windows\Fonts\ corpus 2 (sigma 2)
  • \Windows\IME\ corpus 2 (sigma 2)
  • \Windows\addins\ corpus 4 (sigma 4)
  • \config\systemprofile\ corpus 4 (sigma 4)
ParentImageends_with
  • \services.exe corpus 7 (sigma 7)
  • \svchost.exe corpus 8 (sigma 8)