Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using
title: Files With System Process Name In Unsuspected Locations
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-26
modified: 2026-02-04
tags:
- attack.defense-evasion
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\AtBroker.exe'
- '\audiodg.exe'
- '\backgroundTaskHost.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\cmdl32.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\csrss.exe'
- '\dasHost.exe'
- '\dfrgui.exe'
- '\dllhost.exe'
- '\dwm.exe'
- '\eventcreate.exe'
- '\eventvwr.exe'
- '\explorer.exe'
- '\extrac32.exe'
- '\fontdrvhost.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\ipconfig.exe'
- '\iscsicli.exe'
- '\iscsicpl.exe'
- '\logman.exe'
- '\LogonUI.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\msinfo32.exe'
- '\mstsc.exe'
- '\nbtstat.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regini.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\SearchFilterHost.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SecurityHealthService.exe'
- '\SecurityHealthSystray.exe'
- '\services.exe'
- '\ShellAppRuntime.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\SystemSettingsBroker.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\TiWorker.exe'
- '\vssadmin.exe'
- '\w32tm.exe'
- '\WerFault.exe'
- '\WerFaultSecure.exe'
- '\wermgr.exe'
- '\wevtutil.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winrshost.exe'
- '\WinRTNetMUAHostServer.exe'
- '\wlanext.exe'
- '\wlrmdr.exe'
- '\WmiPrvSE.exe'
- '\wslhost.exe'
- '\WSReset.exe'
- '\WUDFHost.exe'
- '\WWAHost.exe'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
filter_main_tiworker:
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
TargetFilename|startswith: 'C:\Windows\Temp\'
filter_main_svchost:
Image|endswith:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|contains:
- 'C:\Program Files\WindowsApps\'
- 'C:\Program Files (x86)\WindowsApps\'
- '\AppData\Local\Microsoft\WindowsApps\'
filter_main_wuauclt:
Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\SysWOW64\wuauclt.exe'
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
filter_main_explorer:
TargetFilename|endswith: 'C:\Windows\explorer.exe'
filter_main_msiexec:
# This filter handles system processes who are updated/installed using misexec.
Image|endswith:
- 'C:\WINDOWS\system32\msiexec.exe'
- 'C:\WINDOWS\SysWOW64\msiexec.exe'
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|startswith:
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
filter_main_healtray:
TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
Image|endswith: '\SecurityHealthSetup.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- System processes copied outside their default folders for testing purposes
- Third party software naming their software with the same names as the processes mentioned here
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml
imFileEvent
| where (TargetFileName endswith "\\AtBroker.exe" or TargetFileName endswith "\\audiodg.exe" or TargetFileName endswith "\\backgroundTaskHost.exe" or TargetFileName endswith "\\bcdedit.exe" or TargetFileName endswith "\\bitsadmin.exe" or TargetFileName endswith "\\cmdl32.exe" or TargetFileName endswith "\\cmstp.exe" or TargetFileName endswith "\\conhost.exe" or TargetFileName endswith "\\csrss.exe" or TargetFileName endswith "\\dasHost.exe" or TargetFileName endswith "\\dfrgui.exe" or TargetFileName endswith "\\dllhost.exe" or TargetFileName endswith "\\dwm.exe" or TargetFileName endswith "\\eventcreate.exe" or TargetFileName endswith "\\eventvwr.exe" or TargetFileName endswith "\\explorer.exe" or TargetFileName endswith "\\extrac32.exe" or TargetFileName endswith "\\fontdrvhost.exe" or TargetFileName endswith "\\fsquirt.exe" or TargetFileName endswith "\\ipconfig.exe" or TargetFileName endswith "\\iscsicli.exe" or TargetFileName endswith "\\iscsicpl.exe" or TargetFileName endswith "\\logman.exe" or TargetFileName endswith "\\LogonUI.exe" or TargetFileName endswith "\\LsaIso.exe" or TargetFileName endswith "\\lsass.exe" or TargetFileName endswith "\\lsm.exe" or TargetFileName endswith "\\msiexec.exe" or TargetFileName endswith "\\msinfo32.exe" or TargetFileName endswith "\\mstsc.exe" or TargetFileName endswith "\\nbtstat.exe" or TargetFileName endswith "\\odbcconf.exe" or TargetFileName endswith "\\powershell.exe" or TargetFileName endswith "\\pwsh.exe" or TargetFileName endswith "\\regini.exe" or TargetFileName endswith "\\regsvr32.exe" or TargetFileName endswith "\\rundll32.exe" or TargetFileName endswith "\\RuntimeBroker.exe" or TargetFileName endswith "\\schtasks.exe" or TargetFileName endswith "\\SearchFilterHost.exe" or TargetFileName endswith "\\SearchIndexer.exe" or TargetFileName endswith "\\SearchProtocolHost.exe" or TargetFileName endswith "\\SecurityHealthService.exe" or TargetFileName endswith "\\SecurityHealthSystray.exe" or TargetFileName endswith "\\services.exe" or TargetFileName endswith "\\ShellAppRuntime.exe" or TargetFileName endswith "\\sihost.exe" or TargetFileName endswith "\\smartscreen.exe" or TargetFileName endswith "\\smss.exe" or TargetFileName endswith "\\spoolsv.exe" or TargetFileName endswith "\\svchost.exe" or TargetFileName endswith "\\SystemSettingsBroker.exe" or TargetFileName endswith "\\taskhost.exe" or TargetFileName endswith "\\taskhostw.exe" or TargetFileName endswith "\\Taskmgr.exe" or TargetFileName endswith "\\TiWorker.exe" or TargetFileName endswith "\\vssadmin.exe" or TargetFileName endswith "\\w32tm.exe" or TargetFileName endswith "\\WerFault.exe" or TargetFileName endswith "\\WerFaultSecure.exe" or TargetFileName endswith "\\wermgr.exe" or TargetFileName endswith "\\wevtutil.exe" or TargetFileName endswith "\\wininit.exe" or TargetFileName endswith "\\winlogon.exe" or TargetFileName endswith "\\winrshost.exe" or TargetFileName endswith "\\WinRTNetMUAHostServer.exe" or TargetFileName endswith "\\wlanext.exe" or TargetFileName endswith "\\wlrmdr.exe" or TargetFileName endswith "\\WmiPrvSE.exe" or TargetFileName endswith "\\wslhost.exe" or TargetFileName endswith "\\WSReset.exe" or TargetFileName endswith "\\WUDFHost.exe" or TargetFileName endswith "\\WWAHost.exe") and (not(((TargetFileName contains "C:\\$WINDOWS.~BT\\" or TargetFileName contains "C:\\$WinREAgent\\" or TargetFileName contains "C:\\Windows\\SoftwareDistribution\\" or TargetFileName contains "C:\\Windows\\System32\\" or TargetFileName contains "C:\\Windows\\SysWOW64\\" or TargetFileName contains "C:\\Windows\\WinSxS\\" or TargetFileName contains "C:\\Windows\\uus\\") or ((TargetFilePath endswith "\\TiWorker.exe" or TargetFilePath endswith "\\wuaucltcore.exe") and TargetFileName startswith "C:\\Windows\\Temp\\") or ((TargetFilePath endswith "C:\\Windows\\system32\\svchost.exe" or TargetFilePath endswith "C:\\Windows\\SysWOW64\\svchost.exe") and (TargetFileName contains "C:\\Program Files\\WindowsApps\\" or TargetFileName contains "C:\\Program Files (x86)\\WindowsApps\\" or TargetFileName contains "\\AppData\\Local\\Microsoft\\WindowsApps\\")) or (TargetFilePath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\SysWOW64\\wuauclt.exe", "C:\\Windows\\UUS\\arm64\\wuaucltcore.exe")) or TargetFileName endswith "C:\\Windows\\explorer.exe" or ((TargetFilePath endswith "C:\\WINDOWS\\system32\\msiexec.exe" or TargetFilePath endswith "C:\\WINDOWS\\SysWOW64\\msiexec.exe") and (TargetFileName startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or TargetFileName startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or TargetFileName startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview\\")) or (TargetFileName contains "C:\\Windows\\System32\\SecurityHealth\\" and TargetFileName endswith "\\SecurityHealthSystray.exe" and TargetFilePath endswith "\\SecurityHealthSetup.exe"))))| Sentinel Table | Notes |
|---|---|
imFileEvent | Ensure this data connector is enabled |
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation
Use these Atomic Red Team tests to validate this detection fires correctly: