Rule: Suspicious Program Location Process Starts

rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml

@@ -0,0 +1,26 @@
+title: Suspicious Program Location Process Starts
+status: experimental
+description: Detects programs running in suspicious files system locations
+references:
+    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+author: Florian Roth
+date: 2019/01/15
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image: 
+            # - '*\ProgramData\*'  # too many false positives, e.g. with Webex for Windows
+            - '*\$Recycle.bin'
+            - '*\Users\Public\*'
+            - 'C:\Perflogs\*'
+            - '*\Windows\Fonts\*'
+            - '*\Windows\IME\*'
+            - '*\Windows\addins\*'
+            - '*\Windows\debug\*'
+    condition: selection
+falsepositives:
+    - unknown
+level: high