← Back to Explore
sigmamediumHunting
Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
MITRE ATT&CK
Detection Query
selection:
TargetFilename|endswith:
- \AtBroker.exe
- \audiodg.exe
- \backgroundTaskHost.exe
- \bcdedit.exe
- \bitsadmin.exe
- \cmdl32.exe
- \cmstp.exe
- \conhost.exe
- \csrss.exe
- \dasHost.exe
- \dfrgui.exe
- \dllhost.exe
- \dwm.exe
- \eventcreate.exe
- \eventvwr.exe
- \explorer.exe
- \extrac32.exe
- \fontdrvhost.exe
- \fsquirt.exe
- \ipconfig.exe
- \iscsicli.exe
- \iscsicpl.exe
- \logman.exe
- \LogonUI.exe
- \LsaIso.exe
- \lsass.exe
- \lsm.exe
- \msiexec.exe
- \msinfo32.exe
- \mstsc.exe
- \nbtstat.exe
- \odbcconf.exe
- \powershell.exe
- \pwsh.exe
- \regini.exe
- \regsvr32.exe
- \rundll32.exe
- \RuntimeBroker.exe
- \schtasks.exe
- \SearchFilterHost.exe
- \SearchIndexer.exe
- \SearchProtocolHost.exe
- \SecurityHealthService.exe
- \SecurityHealthSystray.exe
- \services.exe
- \ShellAppRuntime.exe
- \sihost.exe
- \smartscreen.exe
- \smss.exe
- \spoolsv.exe
- \svchost.exe
- \SystemSettingsBroker.exe
- \taskhost.exe
- \taskhostw.exe
- \Taskmgr.exe
- \TiWorker.exe
- \vssadmin.exe
- \w32tm.exe
- \WerFault.exe
- \WerFaultSecure.exe
- \wermgr.exe
- \wevtutil.exe
- \wininit.exe
- \winlogon.exe
- \winrshost.exe
- \WinRTNetMUAHostServer.exe
- \wlanext.exe
- \wlrmdr.exe
- \WmiPrvSE.exe
- \wslhost.exe
- \WSReset.exe
- \WUDFHost.exe
- \WWAHost.exe
filter_main_generic:
TargetFilename|contains:
- C:\$WINDOWS.~BT\
- C:\$WinREAgent\
- C:\Windows\SoftwareDistribution\
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
- C:\Windows\uus\
filter_main_tiworker:
Image|endswith:
- \TiWorker.exe
- \wuaucltcore.exe
TargetFilename|startswith: C:\Windows\Temp\
filter_main_svchost:
Image|endswith:
- C:\Windows\system32\svchost.exe
- C:\Windows\SysWOW64\svchost.exe
TargetFilename|contains:
- C:\Program Files\WindowsApps\
- C:\Program Files (x86)\WindowsApps\
- \AppData\Local\Microsoft\WindowsApps\
filter_main_wuauclt:
Image:
- C:\Windows\System32\wuauclt.exe
- C:\Windows\SysWOW64\wuauclt.exe
- C:\Windows\UUS\arm64\wuaucltcore.exe
filter_main_explorer:
TargetFilename|endswith: C:\Windows\explorer.exe
filter_main_msiexec:
Image|endswith:
- C:\WINDOWS\system32\msiexec.exe
- C:\WINDOWS\SysWOW64\msiexec.exe
TargetFilename|startswith:
- C:\Program Files\PowerShell\7\pwsh.exe
- C:\Program Files\PowerShell\7-preview\pwsh.exe
- C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\
filter_main_healtray:
TargetFilename|contains: C:\Windows\System32\SecurityHealth\
TargetFilename|endswith: \SecurityHealthSystray.exe
Image|endswith: \SecurityHealthSetup.exe
condition: selection and not 1 of filter_main_*
Author
Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
Created
2020-05-26
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.stealthattack.t1036.005
Raw Content
title: Files With System Process Name In Unsuspected Locations
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-26
modified: 2026-02-04
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\AtBroker.exe'
- '\audiodg.exe'
- '\backgroundTaskHost.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\cmdl32.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\csrss.exe'
- '\dasHost.exe'
- '\dfrgui.exe'
- '\dllhost.exe'
- '\dwm.exe'
- '\eventcreate.exe'
- '\eventvwr.exe'
- '\explorer.exe'
- '\extrac32.exe'
- '\fontdrvhost.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\ipconfig.exe'
- '\iscsicli.exe'
- '\iscsicpl.exe'
- '\logman.exe'
- '\LogonUI.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\msinfo32.exe'
- '\mstsc.exe'
- '\nbtstat.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regini.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\SearchFilterHost.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SecurityHealthService.exe'
- '\SecurityHealthSystray.exe'
- '\services.exe'
- '\ShellAppRuntime.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\SystemSettingsBroker.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\TiWorker.exe'
- '\vssadmin.exe'
- '\w32tm.exe'
- '\WerFault.exe'
- '\WerFaultSecure.exe'
- '\wermgr.exe'
- '\wevtutil.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winrshost.exe'
- '\WinRTNetMUAHostServer.exe'
- '\wlanext.exe'
- '\wlrmdr.exe'
- '\WmiPrvSE.exe'
- '\wslhost.exe'
- '\WSReset.exe'
- '\WUDFHost.exe'
- '\WWAHost.exe'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
filter_main_tiworker:
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
TargetFilename|startswith: 'C:\Windows\Temp\'
filter_main_svchost:
Image|endswith:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|contains:
- 'C:\Program Files\WindowsApps\'
- 'C:\Program Files (x86)\WindowsApps\'
- '\AppData\Local\Microsoft\WindowsApps\'
filter_main_wuauclt:
Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\SysWOW64\wuauclt.exe'
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
filter_main_explorer:
TargetFilename|endswith: 'C:\Windows\explorer.exe'
filter_main_msiexec:
# This filter handles system processes who are updated/installed using misexec.
Image|endswith:
- 'C:\WINDOWS\system32\msiexec.exe'
- 'C:\WINDOWS\SysWOW64\msiexec.exe'
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|startswith:
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
filter_main_healtray:
TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
Image|endswith: '\SecurityHealthSetup.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- System processes copied outside their default folders for testing purposes
- Third party software naming their software with the same names as the processes mentioned here
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml