sigmahighHunting

Suspicious Service Binary Directory

Detects a service binary running in a suspicious directory

MITRE ATT&CK

defense-evasion

Detection Query

selection:
  Image|contains:
    - \Users\Public\
    - \$Recycle.bin
    - \Users\All Users\
    - \Users\Default\
    - \Users\Contacts\
    - \Users\Searches\
    - C:\Perflogs\
    - \config\systemprofile\
    - \Windows\Fonts\
    - \Windows\IME\
    - \Windows\addins\
  ParentImage|endswith:
    - \services.exe
    - \svchost.exe
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2021-03-09

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/

Tags

attack.defense-evasionattack.t1202

Raw Content

title: Suspicious Service Binary Directory
id: 883faa95-175a-4e22-8181-e5761aeb373c
status: test
description: Detects a service binary running in a suspicious directory
references:
    - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2022-10-09
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - '\Users\Public\'
            - '\$Recycle.bin'
            - '\Users\All Users\'
            - '\Users\Default\'
            - '\Users\Contacts\'
            - '\Users\Searches\'
            - 'C:\Perflogs\'
            - '\config\systemprofile\'
            - '\Windows\Fonts\'
            - '\Windows\IME\'
            - '\Windows\addins\'
        ParentImage|endswith:
            - '\services.exe'
            - '\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high