A newer version is available. For the latest information, see the
current release documentation.
Execution from Unusual Directory - Command Line
editExecution from Unusual Directory - Command Line
editIdentifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Execution
- Defense Evasion
Version: 8
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis This is related to the `Process Execution from an Unusual Directory rule`. ## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
Rule query
editprocess where event.type in ("start", "process_started", "info") and process.name : ("wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "cmstp.exe", "RegAsm.exe", "installutil.exe", "mshta.exe", "RegSvcs.exe", "powershell.exe", "pwsh.exe", "cmd.exe") and /* add suspicious execution paths here */ process.args : ("C:\\PerfLogs\\*", "C:\\Users\\Public\\*", "C:\\Windows\\Tasks\\*", "C:\\Intel\\*", "C:\\AMD\\Temp\\*", "C:\\Windows\\AppReadiness\\*", "C:\\Windows\\ServiceState\\*", "C:\\Windows\\security\\*", "C:\\Windows\\IdentityCRL\\*", "C:\\Windows\\Branding\\*", "C:\\Windows\\csc\\*", "C:\\Windows\\DigitalLocker\\*", "C:\\Windows\\en-US\\*", "C:\\Windows\\wlansvc\\*", "C:\\Windows\\Prefetch\\*", "C:\\Windows\\Fonts\\*", "C:\\Windows\\diagnostics\\*", "C:\\Windows\\TAPI\\*", "C:\\Windows\\INF\\*", "C:\\Windows\\System32\\Speech\\*", "C:\\windows\\tracing\\*", "c:\\windows\\IME\\*", "c:\\Windows\\Performance\\*", "c:\\windows\\intel\\*", "c:\\windows\\ms\\*", "C:\\Windows\\dot3svc\\*", "C:\\Windows\\panther\\*", "C:\\Windows\\RemotePackages\\*", "C:\\Windows\\OCR\\*", "C:\\Windows\\appcompat\\*", "C:\\Windows\\apppatch\\*", "C:\\Windows\\addins\\*", "C:\\Windows\\Setup\\*", "C:\\Windows\\Help\\*", "C:\\Windows\\SKB\\*", "C:\\Windows\\Vss\\*", "C:\\Windows\\servicing\\*", "C:\\Windows\\CbsTemp\\*", "C:\\Windows\\Logs\\*", "C:\\Windows\\WaaS\\*", "C:\\Windows\\twain_32\\*", "C:\\Windows\\ShellExperiences\\*", "C:\\Windows\\ShellComponents\\*", "C:\\Windows\\PLA\\*", "C:\\Windows\\Migration\\*", "C:\\Windows\\debug\\*", "C:\\Windows\\Cursors\\*", "C:\\Windows\\Containers\\*", "C:\\Windows\\Boot\\*", "C:\\Windows\\bcastdvr\\*", "C:\\Windows\\TextInput\\*", "C:\\Windows\\security\\*", "C:\\Windows\\schemas\\*", "C:\\Windows\\SchCache\\*", "C:\\Windows\\Resources\\*", "C:\\Windows\\rescache\\*", "C:\\Windows\\Provisioning\\*", "C:\\Windows\\PrintDialog\\*", "C:\\Windows\\PolicyDefinitions\\*", "C:\\Windows\\media\\*", "C:\\Windows\\Globalization\\*", "C:\\Windows\\L2Schemas\\*", "C:\\Windows\\LiveKernelReports\\*", "C:\\Windows\\ModemLogs\\*", "C:\\Windows\\ImmersiveControlPanel\\*", "C:\\$Recycle.Bin\\*") and /* noisy FP patterns */ not process.parent.executable : ("C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\*\\igfxCUIService*.exe", "C:\\Windows\\System32\\spacedeskService.exe", "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe") and not (process.name : "rundll32.exe" and process.args : ("uxtheme.dll,#64", "PRINTUI.DLL,PrintUIEntry", "?:\\Windows\\System32\\FirewallControlPanel.dll,ShowNotificationDialog", "?:\\WINDOWS\\system32\\Speech\\SpeechUX\\sapi.cpl", "?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL")) and not (process.name : "cscript.exe" and process.args : "?:\\WINDOWS\\system32\\calluxxprovider.vbs") and not (process.name : "cmd.exe" and process.args : "?:\\WINDOWS\\system32\\powercfg.exe" and process.args : "?:\\WINDOWS\\inf\\PowerPlan.log") and not (process.name : "regsvr32.exe" and process.args : "?:\\Windows\\Help\\OEM\\scripts\\checkmui.dll") and not (process.name : "cmd.exe" and process.parent.executable : ("?:\\Windows\\System32\\oobe\\windeploy.exe", "?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe", "?:\\Windows\\System32\\igfxCUIService.exe", "?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe"))
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
-
Sub-technique:
- Name: Match Legitimate Name or Location
- ID: T1036.005
- Reference URL: https://attack.mitre.org/techniques/T1036/005/