rules/windows/file_event/sysmon_creation_system_file.yml

title: File Created with System Process Name
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: experimental
description: Detects the creation of a executable with a system process name in a suspicious folder
author: Sander Wiebing
date: 2020/05/26
modified: 2020/08/23
tags:
    - attack.defense_evasion
    - attack.t1036          # an old one
    - attack.t1036.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '\svchost.exe'
            - '\rundll32.exe'
            - '\services.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
            - '\spoolsv.exe'
            - '\lsass.exe'
            - '\smss.exe'
            - '\csrss.exe'
            - '\conhost.exe'
            - '\wininit.exe'
            - '\lsm.exe'
            - '\winlogon.exe'
            - '\explorer.exe'
            - '\taskhost.exe'
            - '\Taskmgr.exe'
            - '\taskmgr.exe'
            - '\sihost.exe'
            - '\RuntimeBroker.exe'
            - '\runtimebroker.exe'
            - '\smartscreen.exe'
            - '\dllhost.exe'
            - '\audiodg.exe'
            - '\wlanext.exe'
    filter:
        TargetFilename|startswith:
            - 'C:\Windows\System32\\'
            - 'C:\Windows\system32\\'
            - 'C:\Windows\SysWow64\\'
            - 'C:\Windows\SysWOW64\\'
            - 'C:\Windows\winsxs\\'
            - 'C:\Windows\WinSxS\\'
            - '\SystemRoot\System32\\'
    condition: selection and not filter
fields:
    - Image
falsepositives:
    - System processes copied outside the default folder
level: high
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`title: File Created with System Process Name`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`status: experimental`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`description: Detects the creation of a executable with a system process name in a suspicious folder`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`author: Sander Wiebing`
			`date: 2020/05/26`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`modified: 2020/08/23`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`tags:`
			`- attack.defense_evasion`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`- attack.t1036 # an old one`
			`- attack.t1036.005`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`logsource:`
Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00			`category: file_event`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`product: windows`
			`detection:`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00			`selection:`
Update sysmon_creation_system_file.yml 2020-10-15 15:58:10 -03:00			`TargetFilename\|endswith:`
			`- '\svchost.exe'`
			`- '\rundll32.exe'`
			`- '\services.exe'`
			`- '\powershell.exe'`
			`- '\regsvr32.exe'`
			`- '\spoolsv.exe'`
			`- '\lsass.exe'`
			`- '\smss.exe'`
			`- '\csrss.exe'`
			`- '\conhost.exe'`
			`- '\wininit.exe'`
			`- '\lsm.exe'`
			`- '\winlogon.exe'`
			`- '\explorer.exe'`
			`- '\taskhost.exe'`
			`- '\Taskmgr.exe'`
			`- '\taskmgr.exe'`
			`- '\sihost.exe'`
			`- '\RuntimeBroker.exe'`
			`- '\runtimebroker.exe'`
			`- '\smartscreen.exe'`
			`- '\dllhost.exe'`
			`- '\audiodg.exe'`
			`- '\wlanext.exe'`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`filter:`
Update sysmon_creation_system_file.yml 2020-10-15 15:58:10 -03:00			`TargetFilename\|startswith:`
			`- 'C:\Windows\System32\\'`
			`- 'C:\Windows\system32\\'`
			`- 'C:\Windows\SysWow64\\'`
			`- 'C:\Windows\SysWOW64\\'`
			`- 'C:\Windows\winsxs\\'`
			`- 'C:\Windows\WinSxS\\'`
			`- '\SystemRoot\System32\\'`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`condition: selection and not filter`
			`fields:`
			`- Image`
			`falsepositives:`
			`- System processes copied outside the default folder`
			`level: high`