SigmaHQ/rules/windows/process_creation/win_susp_execution_path.yml

title: Execution from Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: experimental
description: Detects a suspicious execution from an uncommon folder
author: Florian Roth
date: 2019/01/16
modified: 2021/03/31
references:
    - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
    - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
tags:
    - attack.defense_evasion
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains:
            - '\$Recycle.bin\'
            - '\config\systemprofile\'
            - '\Intel\Logs\'
            - '\RSA\MachineKeys\'
            - '\Users\All Users\'
            - '\Users\Default\'
            - '\Users\NetworkService\'
            - '\Users\Public\'
            - '\Windows\addins\'
            - '\Windows\debug\'
            - '\Windows\Fonts\'
            - '\Windows\Help\'
            - '\Windows\IME\'
            - '\Windows\Media\'
            - '\Windows\repair\'
            - '\Windows\security\'
            - '\Windows\system32\config\systemprofile\'
            - '\Windows\System32\Tasks\'
            - '\Windows\Tasks\'
        - Image|startswith: 'C:\Perflogs\'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unknown
level: high
refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap 2021-03-31 14:12:38 +00:00			`title: Execution from Suspicious Folder`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`status: experimental`
fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00			`description: Detects a suspicious execution from an uncommon folder`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`author: Florian Roth`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2019/01/16`
refactor: merging rule process_creation/win_susp_exec_folder.yml and process_creation/win_susp_prog_location_process_starts.yml because of significant overlap 2021-03-31 14:12:38 +00:00			`modified: 2021/03/31`
			`references:`
			`- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt`
			`- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses`
			`- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/`
			`- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md`
atc review 2019-03-06 04:25:12 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1036`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
refactor: make use of value modifiers 2021-04-01 10:20:09 +00:00			`- Image\|contains:`
			`- '\$Recycle.bin\'`
Merge branch 'oscd' 2021-04-05 22:05:35 +00:00			`- '\config\systemprofile\'`
			`- '\Intel\Logs\'`
			`- '\RSA\MachineKeys\'`
refactor: make use of value modifiers 2021-04-01 10:20:09 +00:00			`- '\Users\All Users\'`
			`- '\Users\Default\'`
Merge branch 'oscd' 2021-04-05 22:05:35 +00:00			`- '\Users\NetworkService\'`
refactor: make use of value modifiers 2021-04-01 10:20:09 +00:00			`- '\Users\Public\'`
			`- '\Windows\addins\'`
			`- '\Windows\debug\'`
Update win_susp_execution_path.yml 2020-11-28 12:07:22 +00:00			`- '\Windows\Fonts\'`
refactor: make use of value modifiers 2021-04-01 10:20:09 +00:00			`- '\Windows\Help\'`
Update win_susp_execution_path.yml 2020-11-28 12:07:22 +00:00			`- '\Windows\IME\'`
Merge branch 'oscd' 2021-04-05 22:05:35 +00:00			`- '\Windows\Media\'`
refactor: make use of value modifiers 2021-04-01 10:20:09 +00:00			`- '\Windows\repair\'`
			`- '\Windows\security\'`
			`- '\Windows\system32\config\systemprofile\'`
			`- '\Windows\System32\Tasks\'`
Merge branch 'oscd' 2021-04-05 22:05:35 +00:00			`- '\Windows\Tasks\'`
Update win_susp_execution_path.yml 2020-11-28 12:07:22 +00:00			`- Image\|startswith: 'C:\Perflogs\'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`condition: selection`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`fields:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- CommandLine`
			`- ParentCommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Unknown`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: high`