Techniques
Sample rules
Windows Unusual SysWOW64 Process Run System32 Executable
- source: splunk
- technicques:
- T1036.009
Description
The following analytic detects an unusual process execution pattern where a process running from C:\Windows\SysWOW64\ attempts to execute a binary from C:\Windows\System32. In a typical Windows environment, 32-bit processes under SysWOW64 should primarily interact with 32-bit binaries within the same directory. However, an execution flow where a 32-bit process spawns a 64-bit binary from System32 can indicate potential process injection, privilege escalation, evasion techniques, or unauthorized execution hijacking.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\Windows\\SysWOW64\\*" AND Processes.process = "*windows\\system32\\*" by Processes.parent_process_name Processes.process_path Processes.process Processes.original_file_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_unusual_syswow64_process_run_system32_executable_filter`