title: File Created with System Process Name
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: experimental
description: Detects the creation of a executable with a system process name in a suspicious folder
author: Sander Wiebing
date: 2020/05/26
modified: 2020/08/23
tags:
    - attack.defense_evasion
    - attack.t1036          # an old one
    - attack.t1036.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '\svchost.exe'
            - '\rundll32.exe'
            - '\services.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
            - '\spoolsv.exe'
            - '\lsass.exe'
            - '\smss.exe'
            - '\csrss.exe'
            - '\conhost.exe'
            - '\wininit.exe'
            - '\lsm.exe'
            - '\winlogon.exe'
            - '\explorer.exe'
            - '\taskhost.exe'
            - '\Taskmgr.exe'
            - '\taskmgr.exe'
            - '\sihost.exe'
            - '\RuntimeBroker.exe'
            - '\runtimebroker.exe'
            - '\smartscreen.exe'
            - '\dllhost.exe'
            - '\audiodg.exe'
            - '\wlanext.exe'
    filter:
        TargetFilename|startswith:
            - 'C:\Windows\System32\\'
            - 'C:\Windows\system32\\'
            - 'C:\Windows\SysWow64\\'
            - 'C:\Windows\SysWOW64\\'
            - 'C:\Windows\winsxs\\'
            - 'C:\Windows\WinSxS\\'
            - '\SystemRoot\System32\\'
    condition: selection and not filter
fields:
    - Image
falsepositives:
    - System processes copied outside the default folder
level: high