← Back to Explore
sigmahighHunting
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
MITRE ATT&CK
Detection Query
selection:
Image|endswith:
- \atbroker.exe
- \audiodg.exe
- \bcdedit.exe
- \bitsadmin.exe
- \certreq.exe
- \certutil.exe
- \cmstp.exe
- \conhost.exe
- \consent.exe
- \cscript.exe
- \csrss.exe
- \dashost.exe
- \defrag.exe
- \dfrgui.exe
- \dism.exe
- \dllhost.exe
- \dllhst3g.exe
- \dwm.exe
- \eventvwr.exe
- \fsquirt.exe
- \finger.exe
- \logonui.exe
- \LsaIso.exe
- \lsass.exe
- \lsm.exe
- \msiexec.exe
- \ntoskrnl.exe
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \runonce.exe
- \RuntimeBroker.exe
- \schtasks.exe
- \services.exe
- \sihost.exe
- \smartscreen.exe
- \smss.exe
- \spoolsv.exe
- \svchost.exe
- \taskhost.exe
- \taskhostw.exe
- \Taskmgr.exe
- \userinit.exe
- \werfault.exe
- \werfaultsecure.exe
- \wininit.exe
- \winlogon.exe
- \winver.exe
- \wlanext.exe
- \wscript.exe
- \wsl.exe
- \wsmprovhost.exe
filter_main_generic:
Image|startswith:
- C:\$WINDOWS.~BT\
- C:\$WinREAgent\
- C:\Windows\SoftwareDistribution\
- C:\Windows\System32\
- C:\Windows\SystemTemp\
- C:\Windows\SysWOW64\
- C:\Windows\uus\
- C:\Windows\WinSxS\
filter_optional_system32:
Image|contains: \SystemRoot\System32\
filter_main_powershell:
Image|contains:
- C:\Program Files\PowerShell\7\
- C:\Program Files\PowerShell\7-preview\
- C:\Program Files\WindowsApps\Microsoft.PowerShellPreview
- \AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview
Image|endswith: \pwsh.exe
filter_main_wsl_programfiles:
Image|startswith:
- C:\Program
Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux
- C:\Program Files\WSL\
Image|endswith: \wsl.exe
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: \AppData\Local\Microsoft\WindowsApps\
Image|endswith: \wsl.exe
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
Author
Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Created
2017-11-27
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.stealthattack.t1036
Raw Content
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
type: derived
status: test
description: |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
- https://twitter.com/GelosSnake/status/934900723426439170
- https://asec.ahnlab.com/en/39828/
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\atbroker.exe'
- '\audiodg.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\certreq.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\consent.exe'
- '\cscript.exe'
- '\csrss.exe'
- '\dashost.exe'
- '\defrag.exe'
- '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
- '\dism.exe'
- '\dllhost.exe'
- '\dllhst3g.exe'
- '\dwm.exe'
- '\eventvwr.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\finger.exe'
- '\logonui.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\ntoskrnl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\runonce.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\services.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\userinit.exe'
- '\werfault.exe'
- '\werfaultsecure.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winver.exe'
- '\wlanext.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_optional_system32:
Image|contains: '\SystemRoot\System32\'
filter_main_powershell:
Image|contains:
- 'C:\Program Files\PowerShell\7\'
- 'C:\Program Files\PowerShell\7-preview\'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
Image|endswith: '\pwsh.exe'
filter_main_wsl_programfiles:
Image|startswith:
- 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
- 'C:\Program Files\WSL\'
Image|endswith: '\wsl.exe'
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|endswith: '\wsl.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml