From f6ec724d51b9feb83ce903c6c6398f9c143b9bd4 Mon Sep 17 00:00:00 2001
From: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date: Tue, 26 May 2020 18:53:54 +0200
Subject: [PATCH 1/2] Rule: sysmon_creation_system_file

---
 .../sysmon/sysmon_creation_system_file        | 57 +++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_creation_system_file

diff --git a/rules/windows/sysmon/sysmon_creation_system_file b/rules/windows/sysmon/sysmon_creation_system_file
new file mode 100644
index 000000000..3744a10ac
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_creation_system_file
@@ -0,0 +1,57 @@
+title: File Created with System Process Name
+id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d 
+status: experimental
+description: Detects the creation of a executable with a sytem process name in a suspicious folder
+references:
+    - https://attack.mitre.org/techniques/T1036/
+author: Sander Wiebing
+date: 2020/05/26
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        Image:
+            - '*\svchost.exe'
+            - '*\rundll32.exe'
+            - '*\services.exe'
+            - '*\powershell.exe'
+            - '*\regsvr32.exe'
+            - '*\spoolsv.exe'
+            - '*\lsass.exe'
+            - '*\smss.exe'
+            - '*\csrss.exe'
+            - '*\conhost.exe'
+            - '*\wininit.exe'
+            - '*\lsm.exe'
+            - '*\winlogon.exe'
+            - '*\explorer.exe'
+            - '*\taskhost.exe'
+            - '*\Taskmgr.exe'
+            - '*\taskmgr.exe'
+            - '*\sihost.exe'
+            - '*\RuntimeBroker.exe'
+            - '*\runtimebroker.exe'
+            - '*\smartscreen.exe'
+            - '*\dllhost.exe'
+            - '*\audiodg.exe'
+            - '*\wlanext.exe'
+    filter:
+        Image:
+            - 'C:\Windows\System32\\*'
+            - 'C:\Windows\system32\\*'
+            - 'C:\Windows\SysWow64\\*'
+            - 'C:\Windows\SysWOW64\\*'
+            - 'C:\Windows\winsxs\\*'
+            - 'C:\Windows\WinSxS\\*'
+            - '\SystemRoot\System32\\*'
+    condition: selection and not filter
+fields:
+    - Image
+falsepositives:
+    - System processes copied outside the default folder
+level: high

From d44fc43c5452e4e62b5dcf990139a4e166dda706 Mon Sep 17 00:00:00 2001
From: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date: Tue, 26 May 2020 19:10:11 +0200
Subject: [PATCH 2/2] Add extension

---
 ...ysmon_creation_system_file => sysmon_creation_system_file.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename rules/windows/sysmon/{sysmon_creation_system_file => sysmon_creation_system_file.yml} (100%)

diff --git a/rules/windows/sysmon/sysmon_creation_system_file b/rules/windows/sysmon/sysmon_creation_system_file.yml
similarity index 100%
rename from rules/windows/sysmon/sysmon_creation_system_file
rename to rules/windows/sysmon/sysmon_creation_system_file.yml