Detectionmediumtest
Suspicious Process Start Locations
Detects suspicious process run from unusual locations
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
juju4, Jonhnathan Ribeiro, oscd.communityCreated Wed Jan 16Updated Fri Jan 0715b75071-74cc-47e0-b4c6-b43744a62a2bwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
- Image|contains:
- ':\RECYCLER\'
- ':\SystemVolumeInformation\'
- Image|startswith:
- 'C:\Windows\Tasks\'
- 'C:\Windows\debug\'
- 'C:\Windows\fonts\'
- 'C:\Windows\help\'
- 'C:\Windows\drivers\'
- 'C:\Windows\addins\'
- 'C:\Windows\cursors\'
- 'C:\Windows\system32\tasks\'
condition: selectionFalse Positives
False positives depend on scripts and administrative tools used in the monitored environment
References
MITRE ATT&CK
Tactics
Techniques
CAR Analytics
2013-05-002 · CAR 2013-05-002
Rule Metadata
Rule ID
15b75071-74cc-47e0-b4c6-b43744a62a2b
Status
test
Level
medium
Type
Detection
Created
Wed Jan 16
Modified
Fri Jan 07
Author
Path
rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml
Raw Tags
attack.defense-evasionattack.t1036car.2013-05-002