title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
status: experimental
description: Detects a Windows program executable started in a suspicious folder
references:
    - https://twitter.com/GelosSnake/status/934900723426439170
author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community
date: 2017/11/27
modified: 2021/03/02
tags:
    - attack.defense_evasion
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\svchost.exe'
            - '\rundll32.exe'
            - '\services.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
            - '\spoolsv.exe'
            - '\lsass.exe'
            - '\smss.exe'
            - '\csrss.exe'
            - '\conhost.exe'
            - '\wininit.exe'
            - '\lsm.exe'
            - '\winlogon.exe'
            - '\explorer.exe'
            - '\taskhost.exe'
            - '\Taskmgr.exe'
            - '\sihost.exe'
            - '\RuntimeBroker.exe'
            - '\smartscreen.exe'
            - '\dllhost.exe'
            - '\audiodg.exe'
            - '\wlanext.exe'
    filter:
        - Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWow64\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\winsxs\'
            - 'C:\Windows\WinSxS\'
            - 'C:\avast! sandbox'
        - Image|contains: '\SystemRoot\System32\'
        - Image: 'C:\Windows\explorer.exe'
    condition: selection and not filter
fields:
    - ComputerName
    - User
    - Image
falsepositives:
    - Exotic software
level: high