← Back to Explore
sigmamediumHunting
Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Detection Query
selection:
TargetFilename|endswith:
- \AtBroker.exe
- \audiodg.exe
- \backgroundTaskHost.exe
- \bcdedit.exe
- \bitsadmin.exe
- \cmdl32.exe
- \cmstp.exe
- \conhost.exe
- \csrss.exe
- \dasHost.exe
- \dfrgui.exe
- \dllhost.exe
- \dwm.exe
- \eventcreate.exe
- \eventvwr.exe
- \explorer.exe
- \extrac32.exe
- \fontdrvhost.exe
- \fsquirt.exe
- \ipconfig.exe
- \iscsicli.exe
- \iscsicpl.exe
- \logman.exe
- \LogonUI.exe
- \LsaIso.exe
- \lsass.exe
- \lsm.exe
- \msiexec.exe
- \msinfo32.exe
- \mstsc.exe
- \nbtstat.exe
- \odbcconf.exe
- \powershell.exe
- \pwsh.exe
- \regini.exe
- \regsvr32.exe
- \rundll32.exe
- \RuntimeBroker.exe
- \schtasks.exe
- \SearchFilterHost.exe
- \SearchIndexer.exe
- \SearchProtocolHost.exe
- \SecurityHealthService.exe
- \SecurityHealthSystray.exe
- \services.exe
- \ShellAppRuntime.exe
- \sihost.exe
- \smartscreen.exe
- \smss.exe
- \spoolsv.exe
- \svchost.exe
- \SystemSettingsBroker.exe
- \taskhost.exe
- \taskhostw.exe
- \Taskmgr.exe
- \TiWorker.exe
- \vssadmin.exe
- \w32tm.exe
- \WerFault.exe
- \WerFaultSecure.exe
- \wermgr.exe
- \wevtutil.exe
- \wininit.exe
- \winlogon.exe
- \winrshost.exe
- \WinRTNetMUAHostServer.exe
- \wlanext.exe
- \wlrmdr.exe
- \WmiPrvSE.exe
- \wslhost.exe
- \WSReset.exe
- \WUDFHost.exe
- \WWAHost.exe
filter_main_generic:
TargetFilename|contains:
- C:\$WINDOWS.~BT\
- C:\$WinREAgent\
- C:\Windows\SoftwareDistribution\
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
- C:\Windows\uus\
filter_main_tiworker:
Image|endswith:
- \TiWorker.exe
- \wuaucltcore.exe
TargetFilename|startswith: C:\Windows\Temp\
filter_main_svchost:
Image|endswith:
- C:\Windows\system32\svchost.exe
- C:\Windows\SysWOW64\svchost.exe
TargetFilename|contains:
- C:\Program Files\WindowsApps\
- C:\Program Files (x86)\WindowsApps\
- \AppData\Local\Microsoft\WindowsApps\
filter_main_wuauclt:
Image:
- C:\Windows\System32\wuauclt.exe
- C:\Windows\SysWOW64\wuauclt.exe
- C:\Windows\UUS\arm64\wuaucltcore.exe
filter_main_explorer:
TargetFilename|endswith: C:\Windows\explorer.exe
filter_main_msiexec:
Image|endswith:
- C:\WINDOWS\system32\msiexec.exe
- C:\WINDOWS\SysWOW64\msiexec.exe
TargetFilename|startswith:
- C:\Program Files\PowerShell\7\pwsh.exe
- C:\Program Files\PowerShell\7-preview\pwsh.exe
- C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\
filter_main_healtray:
TargetFilename|contains: C:\Windows\System32\SecurityHealth\
TargetFilename|endswith: \SecurityHealthSystray.exe
Image|endswith: \SecurityHealthSetup.exe
condition: selection and not 1 of filter_main_*
Author
Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
Created
2020-05-26
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1036.005
Raw Content
title: Files With System Process Name In Unsuspected Locations
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-26
modified: 2026-02-04
tags:
- attack.defense-evasion
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\AtBroker.exe'
- '\audiodg.exe'
- '\backgroundTaskHost.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\cmdl32.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\csrss.exe'
- '\dasHost.exe'
- '\dfrgui.exe'
- '\dllhost.exe'
- '\dwm.exe'
- '\eventcreate.exe'
- '\eventvwr.exe'
- '\explorer.exe'
- '\extrac32.exe'
- '\fontdrvhost.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\ipconfig.exe'
- '\iscsicli.exe'
- '\iscsicpl.exe'
- '\logman.exe'
- '\LogonUI.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\msinfo32.exe'
- '\mstsc.exe'
- '\nbtstat.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regini.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\SearchFilterHost.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SecurityHealthService.exe'
- '\SecurityHealthSystray.exe'
- '\services.exe'
- '\ShellAppRuntime.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\SystemSettingsBroker.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\TiWorker.exe'
- '\vssadmin.exe'
- '\w32tm.exe'
- '\WerFault.exe'
- '\WerFaultSecure.exe'
- '\wermgr.exe'
- '\wevtutil.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winrshost.exe'
- '\WinRTNetMUAHostServer.exe'
- '\wlanext.exe'
- '\wlrmdr.exe'
- '\WmiPrvSE.exe'
- '\wslhost.exe'
- '\WSReset.exe'
- '\WUDFHost.exe'
- '\WWAHost.exe'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
filter_main_tiworker:
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
TargetFilename|startswith: 'C:\Windows\Temp\'
filter_main_svchost:
Image|endswith:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|contains:
- 'C:\Program Files\WindowsApps\'
- 'C:\Program Files (x86)\WindowsApps\'
- '\AppData\Local\Microsoft\WindowsApps\'
filter_main_wuauclt:
Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\SysWOW64\wuauclt.exe'
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
filter_main_explorer:
TargetFilename|endswith: 'C:\Windows\explorer.exe'
filter_main_msiexec:
# This filter handles system processes who are updated/installed using misexec.
Image|endswith:
- 'C:\WINDOWS\system32\msiexec.exe'
- 'C:\WINDOWS\SysWOW64\msiexec.exe'
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|startswith:
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
filter_main_healtray:
TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
Image|endswith: '\SecurityHealthSetup.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- System processes copied outside their default folders for testing purposes
- Third party software naming their software with the same names as the processes mentioned here
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml