Rule: System File Execution Location Anomaly

2024-11-07 01:45:21 +00:00 · 2017-11-27 14:09:22 +01:00 · 2017-11-27 14:09:22 +01:00 · 78854b79c4
commit 78854b79c4
parent 93fbc63691
1 changed files with 33 additions and 0 deletions
--- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml
+++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml
@ -0,0 +1,33 @@
+title: System File Execution Location Anomaly
+status: experimental
+description: Detects a Windows program executable started in a suspicious folder
+reference: https://twitter.com/GelosSnake/status/934900723426439170
+author: Florian Roth
+date: 2017/11/27
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image:
+            - '*\svchost.exe'
+            - '*\rundll32.exe'
+            - '*\services.exe'
+            - '*\powershell.exe'
+            - '*\regsvr32.exe'
+            - '*\spoolsv.exe'
+            - '*\lsass.exe'
+            - '*\conhost.exe'
+            - '*\smss.exe'
+            - '*\csrss.exe'
+            - '*\conhost.exe'
+    filter:
+        Image: 
+            - '*\System32\*'
+            - '*\SysWow64\*'
+    condition: selection and not filter
+falsepositives:
+    - Exotic software
+level: high
+