sigma-rules/rules/windows/execution_from_unusual_path_cmdline.toml

[metadata]
creation_date = "2020/10/30"
maturity = "production"
updated_date = "2020/10/30"

[rule]
author = ["Elastic"]
description = """
Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide
malware in trusted paths.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Execution from Unusual Directory - Command Line"
note = "This is related to the Process Execution from an Unusual Directory rule"
risk_score = 47
rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
type = "eql"

query = '''
process where event.type in ("start", "process_started", "info") and
 process.name : ("wscript.exe","cscript.exe","rundll32.exe","regsvr32.exe","cmstp.exe","RegAsm.exe","installutil.exe","mshta.exe","RegSvcs.exe") and
 /* add suspicious execution paths here */
process.args : ("C:\\PerfLogs\\*","C:\\Users\\Public\\*","C:\\Users\\Default\\*","C:\\Windows\\Tasks\\*","C:\\Intel\\*", "C:\\AMD\\Temp\\*", 
 "C:\\Windows\\AppReadiness\\*", "C:\\Windows\\ServiceState\\*","C:\\Windows\\security\\*","C:\\Windows\\IdentityCRL\\*","C:\\Windows\\Branding\\*","C:\\Windows\\csc\\*",
 "C:\\Windows\\DigitalLocker\\*","C:\\Windows\\en-US\\*","C:\\Windows\\wlansvc\\*","C:\\Windows\\Prefetch\\*","C:\\Windows\\Fonts\\*",
 "C:\\Windows\\diagnostics\\*","C:\\Windows\\TAPI\\*","C:\\Windows\\INF\\*","C:\\Windows\\System32\\Speech\\*","C:\\windows\\tracing\\*",
 "c:\\windows\\IME\\*","c:\\Windows\\Performance\\*","c:\\windows\\intel\\*","c:\\windows\\ms\\*","C:\\Windows\\dot3svc\\*","C:\\Windows\\ServiceProfiles\\*",
 "C:\\Windows\\panther\\*","C:\\Windows\\RemotePackages\\*","C:\\Windows\\OCR\\*","C:\\Windows\\appcompat\\*","C:\\Windows\\apppatch\\*","C:\\Windows\\addins\\*",
 "C:\\Windows\\Setup\\*","C:\\Windows\\Help\\*","C:\\Windows\\SKB\\*","C:\\Windows\\Vss\\*","C:\\Windows\\Web\\*","C:\\Windows\\servicing\\*","C:\\Windows\\CbsTemp\\*",
 "C:\\Windows\\Logs\\*","C:\\Windows\\WaaS\\*","C:\\Windows\\twain_32\\*","C:\\Windows\\ShellExperiences\\*","C:\\Windows\\ShellComponents\\*","C:\\Windows\\PLA\\*",
 "C:\\Windows\\Migration\\*","C:\\Windows\\debug\\*","C:\\Windows\\Cursors\\*","C:\\Windows\\Containers\\*","C:\\Windows\\Boot\\*","C:\\Windows\\bcastdvr\\*",
 "C:\\Windows\\assembly\\*","C:\\Windows\\TextInput\\*","C:\\Windows\\security\\*","C:\\Windows\\schemas\\*","C:\\Windows\\SchCache\\*","C:\\Windows\\Resources\\*",
 "C:\\Windows\\rescache\\*","C:\\Windows\\Provisioning\\*","C:\\Windows\\PrintDialog\\*","C:\\Windows\\PolicyDefinitions\\*","C:\\Windows\\media\\*",
 "C:\\Windows\\Globalization\\*","C:\\Windows\\L2Schemas\\*","C:\\Windows\\LiveKernelReports\\*","C:\\Windows\\ModemLogs\\*","C:\\Windows\\ImmersiveControlPanel\\*")
'''