SigmaHQ/rules/windows/process_creation/win_system_exe_anomaly.yml

title: System File Execution Location Anomaly
status: experimental
description: Detects a Windows program executable started in a suspicious folder
references:
  - https://twitter.com/GelosSnake/status/934900723426439170
author: Florian Roth
date: 2017/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image:
      - '*\svchost.exe'
      - '*\rundll32.exe'
      - '*\services.exe'
      - '*\powershell.exe'
      - '*\regsvr32.exe'
      - '*\spoolsv.exe'
      - '*\lsass.exe'
      - '*\smss.exe'
      - '*\csrss.exe'
      - '*\conhost.exe'
  filter:
    Image:
      - '*\System32\\*'
      - '*\SysWow64\\*'
  condition: selection and not filter
tags:
  - attack.defense_evasion
falsepositives:
  - Exotic software
level: high
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: System File Execution Location Anomaly`
			`status: experimental`
			`description: Detects a Windows program executable started in a suspicious folder`
			`references:`
			`- https://twitter.com/GelosSnake/status/934900723426439170`
			`author: Florian Roth`
			`date: 2017/11/27`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`Image:`
			`- '*\svchost.exe'`
			`- '*\rundll32.exe'`
			`- '*\services.exe'`
			`- '*\powershell.exe'`
			`- '*\regsvr32.exe'`
			`- '*\spoolsv.exe'`
			`- '*\lsass.exe'`
			`- '*\smss.exe'`
			`- '*\csrss.exe'`
			`- '*\conhost.exe'`
			`filter:`
			`Image:`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`- '\System32\\'`
			`- '\SysWow64\\'`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`condition: selection and not filter`
			`tags:`
			`- attack.defense_evasion`
			`falsepositives:`
			`- Exotic software`
			`level: high`