LoFP LoFP / system processes copied outside their default folders for testing purposes

Techniques

Sample rules

Files With System Process Name In Unsuspected Locations

Description

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_explorer:
  TargetFilename|endswith: C:\Windows\explorer.exe
filter_main_generic:
  TargetFilename|contains:
  - C:\$WINDOWS.~BT\
  - C:\$WinREAgent\
  - C:\Windows\SoftwareDistribution\
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
  - C:\Windows\WinSxS\
  - C:\Windows\uus\
filter_main_healtray:
  Image|endswith: \SecurityHealthSetup.exe
  TargetFilename|contains: C:\Windows\System32\SecurityHealth\
  TargetFilename|endswith: \SecurityHealthSystray.exe
filter_main_msiexec:
  Image|endswith:
  - C:\WINDOWS\system32\msiexec.exe
  - C:\WINDOWS\SysWOW64\msiexec.exe
  TargetFilename|startswith:
  - C:\Program Files\PowerShell\7\pwsh.exe
  - C:\Program Files\PowerShell\7-preview\pwsh.exe
  - C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\
filter_main_svchost:
  Image|endswith:
  - C:\Windows\system32\svchost.exe
  - C:\Windows\SysWOW64\svchost.exe
  TargetFilename|contains:
  - C:\Program Files\WindowsApps\
  - C:\Program Files (x86)\WindowsApps\
  - \AppData\Local\Microsoft\WindowsApps\
filter_main_wuauclt:
  Image|endswith:
  - C:\Windows\System32\wuauclt.exe
  - C:\Windows\SysWOW64\wuauclt.exe
selection:
  TargetFilename|endswith:
  - \AtBroker.exe
  - \audiodg.exe
  - \backgroundTaskHost.exe
  - \bcdedit.exe
  - \bitsadmin.exe
  - \cmdl32.exe
  - \cmstp.exe
  - \conhost.exe
  - \csrss.exe
  - \dasHost.exe
  - \dfrgui.exe
  - \dllhost.exe
  - \dwm.exe
  - \eventcreate.exe
  - \eventvwr.exe
  - \explorer.exe
  - \extrac32.exe
  - \fontdrvhost.exe
  - \ipconfig.exe
  - \iscsicli.exe
  - \iscsicpl.exe
  - \logman.exe
  - \LogonUI.exe
  - \LsaIso.exe
  - \lsass.exe
  - \lsm.exe
  - \msiexec.exe
  - \msinfo32.exe
  - \mstsc.exe
  - \nbtstat.exe
  - \odbcconf.exe
  - \powershell.exe
  - \pwsh.exe
  - \regini.exe
  - \regsvr32.exe
  - \rundll32.exe
  - \RuntimeBroker.exe
  - \schtasks.exe
  - \SearchFilterHost.exe
  - \SearchIndexer.exe
  - \SearchProtocolHost.exe
  - \SecurityHealthService.exe
  - \SecurityHealthSystray.exe
  - \services.exe
  - \ShellAppRuntime.exe
  - \sihost.exe
  - \smartscreen.exe
  - \smss.exe
  - \spoolsv.exe
  - \svchost.exe
  - \SystemSettingsBroker.exe
  - \taskhost.exe
  - \taskhostw.exe
  - \Taskmgr.exe
  - \TiWorker.exe
  - \vssadmin.exe
  - \w32tm.exe
  - \WerFault.exe
  - \WerFaultSecure.exe
  - \wermgr.exe
  - \wevtutil.exe
  - \wininit.exe
  - \winlogon.exe
  - \winrshost.exe
  - \WinRTNetMUAHostServer.exe
  - \wlanext.exe
  - \wlrmdr.exe
  - \WmiPrvSE.exe
  - \wslhost.exe
  - \WSReset.exe
  - \WUDFHost.exe
  - \WWAHost.exe