title: Execution in Webserver Root Folder
status: experimental
description: Detects a suspicious program execution in a web service root folder (filter out false positives)
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image: 
            - '*\wwwroot\*'
            - '*\wmpub\*'
            - '*\htdocs\*'          
    filter:
        Image: 
            - '*bin\*'
            - '*\Tools\*'
            - '*\SMSComponent\*'
        ParentImage:
            - '*\services.exe'
    condition: selection and not filter
falsepositives:
    - Various applications
    - Tools that include ping or nslookup command invocations
level: medium