System File Execution Location Anomaly

Severity: high
Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1036` Masquerading

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection`

or:
Image|endswith: '\LsaIso.exe'
Image|endswith: '\RuntimeBroker.exe'
Image|endswith: '\Taskmgr.exe'
Image|endswith: '\atbroker.exe'
Image|endswith: '\audiodg.exe'
Image|endswith: '\bcdedit.exe'
Image|endswith: '\bitsadmin.exe'
Image|endswith: '\certreq.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\cmstp.exe'
Image|endswith: '\conhost.exe'
Image|endswith: '\consent.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\csrss.exe'
Image|endswith: '\dashost.exe'
Image|endswith: '\defrag.exe'
Image|endswith: '\dfrgui.exe'
Image|endswith: '\dism.exe'
Image|endswith: '\dllhost.exe'
Image|endswith: '\dllhst3g.exe'
Image|endswith: '\dwm.exe'
Image|endswith: '\eventvwr.exe'
Image|endswith: '\finger.exe'
Image|endswith: '\fsquirt.exe'
Image|endswith: '\logonui.exe'
Image|endswith: '\lsass.exe'
Image|endswith: '\lsm.exe'
Image|endswith: '\msiexec.exe'
Image|endswith: '\ntoskrnl.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\runonce.exe'
Image|endswith: '\schtasks.exe'
Image|endswith: '\services.exe'
Image|endswith: '\sihost.exe'
Image|endswith: '\smartscreen.exe'
Image|endswith: '\smss.exe'
Image|endswith: '\spoolsv.exe'
Image|endswith: '\svchost.exe'
Image|endswith: '\taskhost.exe'
Image|endswith: '\taskhostw.exe'
Image|endswith: '\userinit.exe'
Image|endswith: '\werfault.exe'
Image|endswith: '\werfaultsecure.exe'
Image|endswith: '\wininit.exe'
Image|endswith: '\winlogon.exe'
Image|endswith: '\winver.exe'
Image|endswith: '\wlanext.exe'
Image|endswith: '\wscript.exe'
Image|endswith: '\wsl.exe'
Image|endswith: '\wsmprovhost.exe'

Stage 2: `not 1 of filter_main_*`

or:
or:
Image|contains: 'C:\Program Files\PowerShell\7-preview\'
Image|contains: 'C:\Program Files\PowerShell\7\'
Image|contains: 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
or:
Image|startswith: 'C:\Program Files\WSL\'
Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
Image|endswith: '\wsl.exe'
Image|endswith: '\wsl.exe'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|startswith: 'C:\Users\'''
Image|startswith: 'C:\$WINDOWS.~BT\'
Image|startswith: 'C:\$WinREAgent\'
Image|startswith: 'C:\Windows\SoftwareDistribution\'
Image|startswith: 'C:\Windows\SysWOW64\'
Image|startswith: 'C:\Windows\System32\'
Image|startswith: 'C:\Windows\SystemTemp\'
Image|startswith: 'C:\Windows\WinSxS\'
Image|startswith: 'C:\Windows\uus\'

Stage 3: `not 1 of filter_optional_system32`

Image|contains: '\SystemRoot\System32\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\LsaIso.exe` `\RuntimeBroker.exe` corpus 4 (sigma 4) `\Taskmgr.exe` `\atbroker.exe` `\audiodg.exe` `\bcdedit.exe` corpus 4 (sigma 4) `\bitsadmin.exe` corpus 23 (sigma 23) `\certreq.exe` corpus 2 (sigma 2) `\certutil.exe` corpus 34 (sigma 34) `\cmstp.exe` corpus 9 (sigma 9) `\conhost.exe` corpus 7 (sigma 7) `\consent.exe` `\cscript.exe` corpus 64 (sigma 64) `\csrss.exe` corpus 3 (sigma 3) `\dashost.exe` `\defrag.exe` corpus 2 (sigma 2) `\dfrgui.exe` `\dism.exe` corpus 4 (sigma 4) `\dllhost.exe` corpus 8 (sigma 8) `\dllhst3g.exe` `\dwm.exe` `\eventvwr.exe` `\finger.exe` corpus 9 (sigma 9) `\fsquirt.exe` `\logonui.exe` `\lsass.exe` corpus 5 (sigma 5) `\lsm.exe` corpus 2 (sigma 2) `\msiexec.exe` corpus 21 (sigma 21) `\ntoskrnl.exe` `\powershell.exe` corpus 143 (sigma 143) `\powershell_ise.exe` corpus 27 (sigma 27) `\pwsh.exe` corpus 140 (sigma 140) `\regsvr32.exe` corpus 57 (sigma 57) `\rundll32.exe` corpus 76 (sigma 76) `\runonce.exe` corpus 4 (sigma 4) `\schtasks.exe` corpus 45 (sigma 45) `\services.exe` corpus 3 (sigma 3) `\sihost.exe` corpus 2 (sigma 2) `\smartscreen.exe` corpus 2 (sigma 2) `\smss.exe` corpus 2 (sigma 2) `\spoolsv.exe` corpus 2 (sigma 2) `\svchost.exe` corpus 20 (sigma 20) `\taskhost.exe` corpus 2 (sigma 2) `\taskhostw.exe` corpus 2 (sigma 2) `\userinit.exe` corpus 2 (sigma 2) `\werfault.exe` corpus 4 (sigma 4) `\werfaultsecure.exe` `\wininit.exe` corpus 3 (sigma 3) `\winlogon.exe` corpus 5 (sigma 5) `\winver.exe` `\wlanext.exe` `\wscript.exe` corpus 64 (sigma 64) `\wsl.exe` corpus 8 (sigma 8) `\wsmprovhost.exe` corpus 3 (sigma 3)
`Image`	match	`C:\Program Files\PowerShell\7-preview\` `C:\Program Files\PowerShell\7\` `C:\Program Files\WindowsApps\Microsoft.PowerShellPreview` corpus 4 (sigma 4) `\AppData\Local\Microsoft\WindowsApps\` corpus 2 (sigma 2) `\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview` corpus 4 (sigma 4) `\SystemRoot\System32\`
`Image`	starts_with	`C:\$WINDOWS.~BT\` corpus 2 (sigma 2) `C:\$WinREAgent\` `C:\Program Files\WSL\` `C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux` `C:\Users\'` corpus 2 (sigma 2) `C:\Windows\SoftwareDistribution\` corpus 2 (sigma 2) `C:\Windows\SysWOW64\` corpus 16 (sigma 16) `C:\Windows\System32\` corpus 16 (sigma 16) `C:\Windows\SystemTemp\` `C:\Windows\WinSxS\` corpus 13 (sigma 13) `C:\Windows\uus\` corpus 2 (sigma 2)