Detectionmediumtest

Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)Created Tue May 26Updated Wed Feb 04d5866ddf-ce8f-4aea-b28e-d96485a20d3dwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith:
            - '\AtBroker.exe'
            - '\audiodg.exe'
            - '\backgroundTaskHost.exe'
            - '\bcdedit.exe'
            - '\bitsadmin.exe'
            - '\cmdl32.exe'
            - '\cmstp.exe'
            - '\conhost.exe'
            - '\csrss.exe'
            - '\dasHost.exe'
            - '\dfrgui.exe'
            - '\dllhost.exe'
            - '\dwm.exe'
            - '\eventcreate.exe'
            - '\eventvwr.exe'
            - '\explorer.exe'
            - '\extrac32.exe'
            - '\fontdrvhost.exe'
            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
            - '\ipconfig.exe'
            - '\iscsicli.exe'
            - '\iscsicpl.exe'
            - '\logman.exe'
            - '\LogonUI.exe'
            - '\LsaIso.exe'
            - '\lsass.exe'
            - '\lsm.exe'
            - '\msiexec.exe'
            - '\msinfo32.exe'
            - '\mstsc.exe'
            - '\nbtstat.exe'
            - '\odbcconf.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regini.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\RuntimeBroker.exe'
            - '\schtasks.exe'
            - '\SearchFilterHost.exe'
            - '\SearchIndexer.exe'
            - '\SearchProtocolHost.exe'
            - '\SecurityHealthService.exe'
            - '\SecurityHealthSystray.exe'
            - '\services.exe'
            - '\ShellAppRuntime.exe'
            - '\sihost.exe'
            - '\smartscreen.exe'
            - '\smss.exe'
            - '\spoolsv.exe'
            - '\svchost.exe'
            - '\SystemSettingsBroker.exe'
            - '\taskhost.exe'
            - '\taskhostw.exe'
            - '\Taskmgr.exe'
            - '\TiWorker.exe'
            - '\vssadmin.exe'
            - '\w32tm.exe'
            - '\WerFault.exe'
            - '\WerFaultSecure.exe'
            - '\wermgr.exe'
            - '\wevtutil.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
            - '\winrshost.exe'
            - '\WinRTNetMUAHostServer.exe'
            - '\wlanext.exe'
            - '\wlrmdr.exe'
            - '\WmiPrvSE.exe'
            - '\wslhost.exe'
            - '\WSReset.exe'
            - '\WUDFHost.exe'
            - '\WWAHost.exe'
    filter_main_generic:
        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
        TargetFilename|contains:
            # - '\SystemRoot\System32\'
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\uus\'
    filter_main_tiworker:
        Image|endswith:
            - '\TiWorker.exe'
            - '\wuaucltcore.exe'
        TargetFilename|startswith: 'C:\Windows\Temp\'
    filter_main_svchost:
        Image|endswith:
            - 'C:\Windows\system32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
        TargetFilename|contains:
            - 'C:\Program Files\WindowsApps\'
            - 'C:\Program Files (x86)\WindowsApps\'
            - '\AppData\Local\Microsoft\WindowsApps\'
    filter_main_wuauclt:
        Image:
            - 'C:\Windows\System32\wuauclt.exe'
            - 'C:\Windows\SysWOW64\wuauclt.exe'
            - 'C:\Windows\UUS\arm64\wuaucltcore.exe'
    filter_main_explorer:
        TargetFilename|endswith: 'C:\Windows\explorer.exe'
    filter_main_msiexec:
        # This filter handles system processes who are updated/installed using misexec.
        Image|endswith:
            - 'C:\WINDOWS\system32\msiexec.exe'
            - 'C:\WINDOWS\SysWOW64\msiexec.exe'
        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
        TargetFilename|startswith:
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
    filter_main_healtray:
        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
        TargetFilename|endswith: '\SecurityHealthSystray.exe'
        Image|endswith: '\SecurityHealthSetup.exe'
    condition: selection and not 1 of filter_main_*

False Positives

System processes copied outside their default folders for testing purposes

Third party software naming their software with the same names as the processes mentioned here

References

Resolving title…

Internal Research

Testing & Validation

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1036.005 · Match Legitimate Name or Location

Rule Metadata

Rule ID

d5866ddf-ce8f-4aea-b28e-d96485a20d3d

Status

test

Level

medium

Type

Detection

Created

Tue May 26

Modified

Wed Feb 04

Author

Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_creation_system_file.yml

Raw Tags

attack.defense-evasionattack.t1036.005

View on GitHub