Detection rules › Splunk
Windows Unusual SysWOW64 Process Run System32 Executable
The following analytic detects an unusual process execution pattern where a process running from C:\Windows\SysWOW64\ attempts to execute a binary from C:\Windows\System32. In a typical Windows environment, 32-bit processes under SysWOW64 should primarily interact with 32-bit binaries within the same directory. However, an execution flow where a 32-bit process spawns a 64-bit binary from System32 can indicate potential process injection, privilege escalation, evasion techniques, or unauthorized execution hijacking.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1036.009 Masquerading: Break Process Trees |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: tstats
tstats WHERE Processes.process="*windows\\system32\\*" Processes.process_path="*\\Windows\\SysWOW64\\*" BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Processes.process | eq |
|
Processes.process_path | eq |
|