SigmaHQ/rules/windows/process_creation/win_system_exe_anomaly.yml

title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
status: experimental
description: Detects a Windows program executable started in a suspicious folder
references:
    - https://twitter.com/GelosSnake/status/934900723426439170
author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community
date: 2017/11/27
modified: 2021/03/02
tags:
    - attack.defense_evasion
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\svchost.exe'
            - '\rundll32.exe'
            - '\services.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
            - '\spoolsv.exe'
            - '\lsass.exe'
            - '\smss.exe'
            - '\csrss.exe'
            - '\conhost.exe'
            - '\wininit.exe'
            - '\lsm.exe'
            - '\winlogon.exe'
            - '\explorer.exe'
            - '\taskhost.exe'
            - '\Taskmgr.exe'
            - '\sihost.exe'
            - '\RuntimeBroker.exe'
            - '\smartscreen.exe'
            - '\dllhost.exe'
            - '\audiodg.exe'
            - '\wlanext.exe'
    filter:
        - Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWow64\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\winsxs\'
            - 'C:\Windows\WinSxS\'
            - 'C:\avast! sandbox'
        - Image|contains: '\SystemRoot\System32\'
        - Image: 'C:\Windows\explorer.exe'
    condition: selection and not filter
fields:
    - ComputerName
    - User
    - Image
falsepositives:
    - Exotic software
level: high
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: System File Execution Location Anomaly`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: e4a6b256-3e47-40fc-89d2-7a477edd6915`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`status: experimental`
			`description: Detects a Windows program executable started in a suspicious folder`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://twitter.com/GelosSnake/status/934900723426439170`
Merge branch 'oscd' B B B B A 2021-03-02 19:48:55 +00:00			`author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`date: 2017/11/27`
fix: FPs with rule and avast sandbox 2021-03-02 09:08:30 +00:00			`modified: 2021/03/02`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1036`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
Update win_system_exe_anomaly.yml 2020-10-15 22:55:57 +00:00			`Image\|endswith:`
			`- '\svchost.exe'`
			`- '\rundll32.exe'`
			`- '\services.exe'`
			`- '\powershell.exe'`
			`- '\regsvr32.exe'`
			`- '\spoolsv.exe'`
			`- '\lsass.exe'`
			`- '\smss.exe'`
			`- '\csrss.exe'`
			`- '\conhost.exe'`
			`- '\wininit.exe'`
			`- '\lsm.exe'`
			`- '\winlogon.exe'`
			`- '\explorer.exe'`
			`- '\taskhost.exe'`
			`- '\Taskmgr.exe'`
			`- '\sihost.exe'`
			`- '\RuntimeBroker.exe'`
			`- '\smartscreen.exe'`
			`- '\dllhost.exe'`
			`- '\audiodg.exe'`
			`- '\wlanext.exe'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`filter:`
Update win_system_exe_anomaly.yml 2020-11-28 16:32:44 +00:00			`- Image\|startswith:`
			`- 'C:\Windows\System32\'`
			`- 'C:\Windows\system32\'`
			`- 'C:\Windows\SysWow64\'`
			`- 'C:\Windows\SysWOW64\'`
			`- 'C:\Windows\winsxs\'`
			`- 'C:\Windows\WinSxS\'`
Merge branch 'oscd' B B B B A 2021-03-02 19:48:55 +00:00			`- 'C:\avast! sandbox'`
			`- Image\|contains: '\SystemRoot\System32\'`
Update win_system_exe_anomaly.yml 2020-11-28 17:03:19 +00:00			`- Image: 'C:\Windows\explorer.exe'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`condition: selection and not filter`
OSCD QA wave 2 * Improved rules * Added filtering * Adjusted severity 2020-01-17 14:46:28 +00:00			`fields:`
			`- ComputerName`
			`- User`
			`- Image`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Exotic software`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: high`