Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
type: derived
status: test
description: |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
- https://twitter.com/GelosSnake/status/934900723426439170
- https://asec.ahnlab.com/en/39828/
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
- attack.defense-evasion
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\atbroker.exe'
- '\audiodg.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\certreq.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\consent.exe'
- '\cscript.exe'
- '\csrss.exe'
- '\dashost.exe'
- '\defrag.exe'
- '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
- '\dism.exe'
- '\dllhost.exe'
- '\dllhst3g.exe'
- '\dwm.exe'
- '\eventvwr.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\finger.exe'
- '\logonui.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\ntoskrnl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\runonce.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\services.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\userinit.exe'
- '\werfault.exe'
- '\werfaultsecure.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winver.exe'
- '\wlanext.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_optional_system32:
Image|contains: '\SystemRoot\System32\'
filter_main_powershell:
Image|contains:
- 'C:\Program Files\PowerShell\7\'
- 'C:\Program Files\PowerShell\7-preview\'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
Image|endswith: '\pwsh.exe'
filter_main_wsl_programfiles:
Image|startswith:
- 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
- 'C:\Program Files\WSL\'
Image|endswith: '\wsl.exe'
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|endswith: '\wsl.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
imProcessCreate
| where (TargetProcessName endswith "\\atbroker.exe" or TargetProcessName endswith "\\audiodg.exe" or TargetProcessName endswith "\\bcdedit.exe" or TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\certreq.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\cmstp.exe" or TargetProcessName endswith "\\conhost.exe" or TargetProcessName endswith "\\consent.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\csrss.exe" or TargetProcessName endswith "\\dashost.exe" or TargetProcessName endswith "\\defrag.exe" or TargetProcessName endswith "\\dfrgui.exe" or TargetProcessName endswith "\\dism.exe" or TargetProcessName endswith "\\dllhost.exe" or TargetProcessName endswith "\\dllhst3g.exe" or TargetProcessName endswith "\\dwm.exe" or TargetProcessName endswith "\\eventvwr.exe" or TargetProcessName endswith "\\fsquirt.exe" or TargetProcessName endswith "\\finger.exe" or TargetProcessName endswith "\\logonui.exe" or TargetProcessName endswith "\\LsaIso.exe" or TargetProcessName endswith "\\lsass.exe" or TargetProcessName endswith "\\lsm.exe" or TargetProcessName endswith "\\msiexec.exe" or TargetProcessName endswith "\\ntoskrnl.exe" or TargetProcessName endswith "\\powershell_ise.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\runonce.exe" or TargetProcessName endswith "\\RuntimeBroker.exe" or TargetProcessName endswith "\\schtasks.exe" or TargetProcessName endswith "\\services.exe" or TargetProcessName endswith "\\sihost.exe" or TargetProcessName endswith "\\smartscreen.exe" or TargetProcessName endswith "\\smss.exe" or TargetProcessName endswith "\\spoolsv.exe" or TargetProcessName endswith "\\svchost.exe" or TargetProcessName endswith "\\taskhost.exe" or TargetProcessName endswith "\\taskhostw.exe" or TargetProcessName endswith "\\Taskmgr.exe" or TargetProcessName endswith "\\userinit.exe" or TargetProcessName endswith "\\werfault.exe" or TargetProcessName endswith "\\werfaultsecure.exe" or TargetProcessName endswith "\\wininit.exe" or TargetProcessName endswith "\\winlogon.exe" or TargetProcessName endswith "\\winver.exe" or TargetProcessName endswith "\\wlanext.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\wsl.exe" or TargetProcessName endswith "\\wsmprovhost.exe") and (not(((TargetProcessName startswith "C:\\$WINDOWS.~BT\\" or TargetProcessName startswith "C:\\$WinREAgent\\" or TargetProcessName startswith "C:\\Windows\\SoftwareDistribution\\" or TargetProcessName startswith "C:\\Windows\\System32\\" or TargetProcessName startswith "C:\\Windows\\SystemTemp\\" or TargetProcessName startswith "C:\\Windows\\SysWOW64\\" or TargetProcessName startswith "C:\\Windows\\uus\\" or TargetProcessName startswith "C:\\Windows\\WinSxS\\") or ((TargetProcessName contains "C:\\Program Files\\PowerShell\\7\\" or TargetProcessName contains "C:\\Program Files\\PowerShell\\7-preview\\" or TargetProcessName contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or TargetProcessName contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and TargetProcessName endswith "\\pwsh.exe") or ((TargetProcessName startswith "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux" or TargetProcessName startswith "C:\\Program Files\\WSL\\") and TargetProcessName endswith "\\wsl.exe") or (TargetProcessName startswith "C:\\Users\\'" and TargetProcessName contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" and TargetProcessName endswith "\\wsl.exe")))) and (not(TargetProcessName contains "\\SystemRoot\\System32\\"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, l
Use these Atomic Red Team tests to validate this detection fires correctly: