SigmaHQ/wazuh/rules/sigma_win_susp_run_locations.yml

alert:
- debug
description: Detects suspicious process run from unusual locations
filter:
- query:
    query_string:
      query: data.win.eventdata.image.keyword:(*\:\\RECYCLER\\* OR *\:\\SystemVolumeInformation\\* OR C\:\\Windows\\Tasks\\* OR C\:\\Windows\\debug\\* OR C\:\\Windows\\fonts\\* OR C\:\\Windows\\help\\* OR C\:\\Windows\\drivers\\* OR C\:\\Windows\\addins\\* OR C\:\\Windows\\cursors\\* OR C\:\\Windows\\system32\\tasks\\*)
index: wazuh-alerts-3.x-*
name: 15b75071-74cc-47e0-b4c6-b43744a62a2b_0
priority: 3
realert:
  minutes: 0
type: any
123 2020-12-02 22:43:30 +00:00			`alert:`
			`- debug`
			`description: Detects suspicious process run from unusual locations`
			`filter:`
			`- query:`
			`query_string:`
			`query: data.win.eventdata.image.keyword:(\:\\RECYCLER\\ OR \:\\SystemVolumeInformation\\ OR C\:\\Windows\\Tasks\\* OR C\:\\Windows\\debug\\* OR C\:\\Windows\\fonts\\* OR C\:\\Windows\\help\\* OR C\:\\Windows\\drivers\\* OR C\:\\Windows\\addins\\* OR C\:\\Windows\\cursors\\* OR C\:\\Windows\\system32\\tasks\\*)`
			`index: wazuh-alerts-3.x-*`
			`name: 15b75071-74cc-47e0-b4c6-b43744a62a2b_0`
			`priority: 3`
			`realert:`
			`minutes: 0`
			`type: any`