Techniques
Sample rules
System File Execution Location Anomaly
- source: sigma
- technicques:
- t1036
Description
Detects a Windows program executable started from a suspicious folder
Detection logic
condition: selection and not 1 of filter_*
filter_generic:
- Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
- Image|contains: \SystemRoot\System32\
- Image:
- C:\Windows\explorer.exe
- C:\Program Files\PowerShell\7\pwsh.exe
- C:\Program Files\PowerShell\7-preview\pwsh.exe
filter_wsl_windowsapps:
Image|endswith: \wsl.exe
Image|startswith: C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux
selection:
Image|endswith:
- \svchost.exe
- \rundll32.exe
- \services.exe
- \powershell.exe
- \powershell_ise.exe
- \pwsh.exe
- \regsvr32.exe
- \spoolsv.exe
- \lsass.exe
- \smss.exe
- \csrss.exe
- \conhost.exe
- \wininit.exe
- \lsm.exe
- \winlogon.exe
- \explorer.exe
- \taskhost.exe
- \Taskmgr.exe
- \sihost.exe
- \RuntimeBroker.exe
- \smartscreen.exe
- \dllhost.exe
- \audiodg.exe
- \wlanext.exe
- \dashost.exe
- \schtasks.exe
- \cscript.exe
- \wscript.exe
- \wsl.exe
- \bitsadmin.exe
- \atbroker.exe
- \bcdedit.exe
- \certutil.exe
- \certreq.exe
- \cmstp.exe
- \consent.exe
- \defrag.exe
- \dism.exe
- \dllhst3g.exe
- \eventvwr.exe
- \msiexec.exe
- \runonce.exe
- \winver.exe
- \logonui.exe
- \userinit.exe
- \dwm.exe
- \LsaIso.exe
- \ntoskrnl.exe
- \wsmprovhost.exe
- \dfrgui.exe