SigmaHQ/rules/windows/process_creation/win_susp_service_dir.yml

title: Suspicious Service Binary Directory
id: 883faa95-175a-4e22-8181-e5761aeb373c
description: Detects a service binary running in a suspicious directory
author: Florian Roth
date: 2021/03/09
status: experimental
references:
    - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: 
            - '\Users\Public\'
            - '\$Recycle.bin'
            - '\Users\All Users\'
            - '\Users\Default\'
            - '\Users\Contacts\'
            - '\Users\Searches\' 
            - 'C:\Perflogs\'
            - '\config\systemprofile\'
            - '\Windows\Fonts\'
            - '\Windows\IME\'
            - '\Windows\addins\'
        ParentImage|endswith:
            - '\services.exe'
            - '\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
rule: suspicious service binary location 2021-03-09 08:01:36 +00:00			`title: Suspicious Service Binary Directory`
			`id: 883faa95-175a-4e22-8181-e5761aeb373c`
			`description: Detects a service binary running in a suspicious directory`
			`author: Florian Roth`
			`date: 2021/03/09`
			`status: experimental`
			`references:`
			`- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`Image\|contains:`
fix: 1 of them condition 2021-03-09 08:15:12 +00:00			`- '\Users\Public\'`
rule: suspicious service binary location 2021-03-09 08:01:36 +00:00			`- '\$Recycle.bin'`
			`- '\Users\All Users\'`
			`- '\Users\Default\'`
			`- '\Users\Contacts\'`
			`- '\Users\Searches\'`
			`- 'C:\Perflogs\'`
			`- '\config\systemprofile\'`
			`- '\Windows\Fonts\'`
			`- '\Windows\IME\'`
			`- '\Windows\addins\'`
			`ParentImage\|endswith:`
			`- '\services.exe'`
			`- '\svchost.exe'`
fix: 1 of them condition 2021-03-09 08:15:12 +00:00			`condition: selection`
rule: suspicious service binary location 2021-03-09 08:01:36 +00:00			`falsepositives:`
			`- Unknown`
			`level: high`