Process Execution from an Unusual Directory

edit

Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 6 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
process where event.type in ("start", "process_started", "info") and
/* add suspicious execution paths here */ process.executable : ("C:\\P
erfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Windows\\Tasks\\*.exe"
,"C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe","C:\\Windows\\AppReadiness\
\*.exe", "C:\\Windows\\ServiceState\\*.exe","C:\\Windows\\security\\*.
exe","C:\\Windows\\IdentityCRL\\*.exe","C:\\Windows\\Branding\\*.exe",
"C:\\Windows\\csc\\*.exe",
"C:\\Windows\\DigitalLocker\\*.exe","C:\\Windows\\en-US\\*.exe","C:\\W
indows\\wlansvc\\*.exe","C:\\Windows\\Prefetch\\*.exe","C:\\Windows\\F
onts\\*.exe", "C:\\Windows\\diagnostics\\*.exe","C:\\Windows\\TAPI\\*
.exe","C:\\Windows\\INF\\*.exe","C:\\Windows\\System32\\Speech\\*.exe"
,"C:\\windows\\tracing\\*.exe", "c:\\windows\\IME\\*.exe","c:\\Window
s\\Performance\\*.exe","c:\\windows\\intel\\*.exe","c:\\windows\\ms\\*
.exe","C:\\Windows\\dot3svc\\*.exe", "C:\\Windows\\panther\\*.exe","C
:\\Windows\\RemotePackages\\*.exe","C:\\Windows\\OCR\\*.exe","C:\\Wind
ows\\appcompat\\*.exe","C:\\Windows\\apppatch\\*.exe","C:\\Windows\\ad
dins\\*.exe", "C:\\Windows\\Setup\\*.exe","C:\\Windows\\Help\\*.exe",
"C:\\Windows\\SKB\\*.exe","C:\\Windows\\Vss\\*.exe","C:\\Windows\\Web\
\*.exe","C:\\Windows\\servicing\\*.exe","C:\\Windows\\CbsTemp\\*.exe",
"C:\\Windows\\Logs\\*.exe","C:\\Windows\\WaaS\\*.exe","C:\\Windows\\Sh
ellExperiences\\*.exe","C:\\Windows\\ShellComponents\\*.exe","C:\\Wind
ows\\PLA\\*.exe", "C:\\Windows\\Migration\\*.exe","C:\\Windows\\debug
\\*.exe","C:\\Windows\\Cursors\\*.exe","C:\\Windows\\Containers\\*.exe
","C:\\Windows\\Boot\\*.exe","C:\\Windows\\bcastdvr\\*.exe", "C:\\Win
dows\\assembly\\*.exe","C:\\Windows\\TextInput\\*.exe","C:\\Windows\\s
ecurity\\*.exe","C:\\Windows\\schemas\\*.exe","C:\\Windows\\SchCache\\
*.exe","C:\\Windows\\Resources\\*.exe", "C:\\Windows\\rescache\\*.exe
","C:\\Windows\\Provisioning\\*.exe","C:\\Windows\\PrintDialog\\*.exe"
,"C:\\Windows\\PolicyDefinitions\\*.exe","C:\\Windows\\media\\*.exe",
"C:\\Windows\\Globalization\\*.exe","C:\\Windows\\L2Schemas\\*.exe","C
:\\Windows\\LiveKernelReports\\*.exe","C:\\Windows\\ModemLogs\\*.exe",
"C:\\Windows\\ImmersiveControlPanel\\*.exe") and not process.name : (
"SpeechUXWiz.exe","SystemSettings.exe","TrustedInstaller.exe","PrintDi
alog.exe","MpSigStub.exe","LMS.exe","mpam-*.exe") and not
process.executable :
("?:\\Intel\\Wireless\\WUSetupLauncher.exe",
"?:\\Intel\\Wireless\\Setup.exe", "?:\\Intel\\Move
Mouse.exe", "?:\\windows\\Panther\\DiagTrackRunner.exe",
"?:\\Windows\\servicing\\GC64\\tzupd.exe",
"?:\\Users\\Public\\res\\RemoteLite.exe",
"?:\\Users\\Public\\IBM\\ClientSolutions\\*.exe",
"?:\\Users\\Public\\Documents\\syspin.exe",
"?:\\Users\\Public\\res\\FileWatcher.exe") /* uncomment once in
winlogbeat */ /* and not (process.code_signature.subject_name ==
"Microsoft Corporation" and process.code_signature.trusted == true) */

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 6 (8.4.0 release)
  • Updated query, changed from:

    process where event.type in ("start", "process_started", "info") and
    /* add suspicious execution paths here */ process.executable : ("C:\\P
    erfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Users\\Default\\*.exe"
    ,"C:\\Windows\\Tasks\\*.exe","C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe"
    ,"C:\\Windows\\AppReadiness\\*.exe", "C:\\Windows\\ServiceState\\*.exe
    ","C:\\Windows\\security\\*.exe","C:\\Windows\\IdentityCRL\\*.exe","C:
    \\Windows\\Branding\\*.exe","C:\\Windows\\csc\\*.exe",
    "C:\\Windows\\DigitalLocker\\*.exe","C:\\Windows\\en-US\\*.exe","C:\\W
    indows\\wlansvc\\*.exe","C:\\Windows\\Prefetch\\*.exe","C:\\Windows\\F
    onts\\*.exe", "C:\\Windows\\diagnostics\\*.exe","C:\\Windows\\TAPI\\*
    .exe","C:\\Windows\\INF\\*.exe","C:\\Windows\\System32\\Speech\\*.exe"
    ,"C:\\windows\\tracing\\*.exe", "c:\\windows\\IME\\*.exe","c:\\Window
    s\\Performance\\*.exe","c:\\windows\\intel\\*.exe","c:\\windows\\ms\\*
    .exe","C:\\Windows\\dot3svc\\*.exe","C:\\Windows\\ServiceProfiles\\*.e
    xe", "C:\\Windows\\panther\\*.exe","C:\\Windows\\RemotePackages\\*.ex
    e","C:\\Windows\\OCR\\*.exe","C:\\Windows\\appcompat\\*.exe","C:\\Wind
    ows\\apppatch\\*.exe","C:\\Windows\\addins\\*.exe", "C:\\Windows\\Set
    up\\*.exe","C:\\Windows\\Help\\*.exe","C:\\Windows\\SKB\\*.exe","C:\\W
    indows\\Vss\\*.exe","C:\\Windows\\Web\\*.exe","C:\\Windows\\servicing\
    \*.exe","C:\\Windows\\CbsTemp\\*.exe", "C:\\Windows\\Logs\\*.exe","C:
    \\Windows\\WaaS\\*.exe","C:\\Windows\\twain_32\\*.exe","C:\\Windows\\S
    hellExperiences\\*.exe","C:\\Windows\\ShellComponents\\*.exe","C:\\Win
    dows\\PLA\\*.exe", "C:\\Windows\\Migration\\*.exe","C:\\Windows\\debu
    g\\*.exe","C:\\Windows\\Cursors\\*.exe","C:\\Windows\\Containers\\*.ex
    e","C:\\Windows\\Boot\\*.exe","C:\\Windows\\bcastdvr\\*.exe", "C:\\Wi
    ndows\\assembly\\*.exe","C:\\Windows\\TextInput\\*.exe","C:\\Windows\\
    security\\*.exe","C:\\Windows\\schemas\\*.exe","C:\\Windows\\SchCache\
    \*.exe","C:\\Windows\\Resources\\*.exe", "C:\\Windows\\rescache\\*.ex
    e","C:\\Windows\\Provisioning\\*.exe","C:\\Windows\\PrintDialog\\*.exe
    ","C:\\Windows\\PolicyDefinitions\\*.exe","C:\\Windows\\media\\*.exe",
    "C:\\Windows\\Globalization\\*.exe","C:\\Windows\\L2Schemas\\*.exe","C
    :\\Windows\\LiveKernelReports\\*.exe","C:\\Windows\\ModemLogs\\*.exe",
    "C:\\Windows\\ImmersiveControlPanel\\*.exe") and not process.name : (
    "SpeechUXWiz.exe","SystemSettings.exe","TrustedInstaller.exe","PrintDi
    alog.exe","MpSigStub.exe","LMS.exe","mpam-*.exe") /* uncomment once
    in winlogbeat */ /* and not (process.code_signature.subject_name ==
    "Microsoft Corporation" and process.code_signature.trusted == true) */
Version 4 (8.2.0 release)
  • Formatting only
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only