System File Execution Location Anomaly

    Friday, August 9, 2024 In: Threat Research Print

    Date: 08/08/2024

    Severity: Medium

    Summary

    System File Execution Location Anomaly is a security alert indicating that a system file is being executed from an unusual or non-standard directory. This deviation from the expected file locations may suggest potential security issues such as malware activity, unauthorized access, or configuration errors. Monitoring and investigating these anomalies is crucial to identify and mitigate potential threats.

    Indicators of Compromise (IOC) List

    Image

    '\atbroker.exe'

    '\audiodg.exe'

    '\bcdedit.exe'

    '\bitsadmin.exe'

    '\certreq.exe'

    '\certutil.exe'

    '\cmstp.exe'

    '\conhost.exe'

    '\consent.exe'

    '\cscript.exe'

    '\csrss.exe'

    '\dashost.exe'

    '\defrag.exe'

    '\dfrgui.exe'

    '\dism.exe'

    '\dllhost.exe'

    '\dllhst3g.exe'

    '\dwm.exe'

    '\eventvwr.exe'

    '\logonui.exe'

    '\LsaIso.exe'

    '\lsass.exe'

    '\lsm.exe'

    '\msiexec.exe'

    '\ntoskrnl.exe'

    '\powershell_ise.exe'

    '\powershell.exe'

    '\pwsh.exe'

    '\regsvr32.exe'

    '\rundll32.exe'

    '\runonce.exe'

    '\RuntimeBroker.exe'

    '\schtasks.exe'

    '\services.exe'

    '\sihost.exe'

    '\smartscreen.exe'

    '\smss.exe'

    '\spoolsv.exe'

    '\svchost.exe'

    '\taskhost.exe'

    '\Taskmgr.exe'

    '\userinit.exe'

    '\wininit.exe'

    '\winlogon.exe'

    '\winver.exe'

    '\wlanext.exe'

    '\wscript.exe'

    '\wsl.exe'

    '\wsmprovhost.exe' 

    'C:\$WINDOWS.~BT\'

    'C:\$WinREAgent\'

    'C:\Windows\SoftwareDistribution\'

    'C:\Windows\System32\'

    'C:\Windows\SystemTemp\'

    'C:\Windows\SysWOW64\'

    'C:\Windows\uus\'

    'C:\Windows\WinSxS\'

    'C:\Program Files\PowerShell\7\pwsh.exe'

    'C:\Program Files\PowerShell\7-preview\pwsh.exe'

    'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'

    '\wsl.exe'

    '\SystemRoot\System32\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourcename in ("Sysmon") and eventtype = "7" and Image in ("\\atbroker.exe","\\audiodg.exe","\\bcdedit.exe","\\bitsadmin.exe","\\certreq.exe","\\certutil.exe","\\cmstp.exe","\\conhost.exe","\\consent.exe","\\cscript.exe","\\csrss.exe","\\dashost.exe","\\defrag.exe","\\dfrgui.exe","\\dism.exe","\\dllhost.exe","\\dllhst3g.exe","\\dwm.exe","\\eventvwr.exe","\\logonui.exe","\\LsaIso.exe","\\lsass.exe","\\lsm.exe","\\msiexec.exe","\\ntoskrnl.exe","\\powershell_ise.exe","\\powershell.exe","\\pwsh.exe","\\regsvr32.exe","\\rundll32.exe","\\runonce.exe","\\RuntimeBroker.exe","\\schtasks.exe","\\services.exe","\\sihost.exe","\\smartscreen.exe","\\smss.exe","\\spoolsv.exe","\\svchost.exe","\\taskhost.exe","\\Taskmgr.exe","\\userinit.exe","\\wininit.exe","\\winlogon.exe","\\winver.exe","\\wlanext.exe","\\wscript.exe","\\wsl.exe","\\wsmprovhost.exe","C:\\$WINDOWS.~BT","C:\\$WinREAgent","C:\\Windows\\SoftwareDistribution","C:\\Windows\\System32","C:\\Windows\\SystemTemp","C:\\Windows\\SysWOW64","C:\\Windows\\uus","C:\\Windows\\WinSxS","\\SystemRoot\\System32")

    Detection Query 2

    resourcename in ("Sysmon") AND eventtype = "7" AND Image in ("atbroker.exe","\\audiodg.exe","\\bcdedit.exe","\\bitsadmin.exe","\\certreq.exe","\\certutil.exe","\\cmstp.exe","\\conhost.exe","\\consent.exe","\\cscript.exe","\\csrss.exe","\\dashost.exe","\\defrag.exe","\\dfrgui.exe","\\dism.exe","\\dllhost.exe","\\dllhst3g.exe","\\dwm.exe","\\eventvwr.exe","\\logonui.exe","\\LsaIso.exe","\\lsass.exe","\\lsm.exe","\\msiexec.exe","\\ntoskrnl.exe","\\powershell_ise.exe","\\powershell.exe","\\pwsh.exe","\\regsvr32.exe","\\rundll32.exe","\\runonce.exe","\\RuntimeBroker.exe","\\schtasks.exe","\\services.exe","\\sihost.exe","\\smartscreen.exe","\\smss.exe","\\spoolsv.exe","\\svchost.exe","\\taskhost.exe","\\Taskmgr.exe","\\userinit.exe","\\wininit.exe","\\winlogon.exe","\\winver.exe","\\wlanext.exe","\\wscript.exe","\\wsl.exe","\\wsmprovhost.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe","C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe","\\SystemRoot\\System32")

    Detection Query 3

    resourcename in ("Sysmon") AND eventtype = "7" AND Image in ("\\atbroker.exe","\\audiodg.exe","\\bcdedit.exe","\\bitsadmin.exe","\\certreq.exe","\\certutil.exe","\\cmstp.exe","\\conhost.exe","\\consent.exe","\\cscript.exe","\\csrss.exe","\\dashost.exe","\\defrag.exe","\\dfrgui.exe","\\dism.exe","\\dllhost.exe","\\dllhst3g.exe","\\dwm.exe","\\eventvwr.exe","\\logonui.exe","\\LsaIso.exe","\\lsass.exe","\\lsm.exe","\\msiexec.exe","\\ntoskrnl.exe","\\powershell_ise.exe","\\powershell.exe","\\pwsh.exe","\\regsvr32.exe","\\rundll32.exe","\\runonce.exe","\\RuntimeBroker.exe","\\schtasks.exe","\\services.exe","\\sihost.exe","\\smartscreen.exe","\\smss.exe","\\spoolsv.exe","\\svchost.exe","\\taskhost.exe","\\Taskmgr.exe","\\userinit.exe","\\wininit.exe","\\winlogon.exe","\\winver.exe","\\wlanext.exe","\\wscript.exe","\\wsl.exe","\\wsmprovhost.exe", "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux","\\wsl.exe","\\SystemRoot\\System32")

    Detection Query 4

    technologygroup = "EDR" AND Image in ("\\atbroker.exe","\\audiodg.exe","\\bcdedit.exe","\\bitsadmin.exe","\\certreq.exe","\\certutil.exe","\\cmstp.exe","\\conhost.exe","\\consent.exe","\\cscript.exe","\\csrss.exe","\\dashost.exe","\\defrag.exe","\\dfrgui.exe","\\dism.exe","\\dllhost.exe","\\dllhst3g.exe","\\dwm.exe","\\eventvwr.exe","\\logonui.exe","\\LsaIso.exe","\\lsass.exe","\\lsm.exe","\\msiexec.exe","\\ntoskrnl.exe","\\powershell_ise.exe","\\powershell.exe","\\pwsh.exe","\\regsvr32.exe","\\rundll32.exe","\\runonce.exe","\\RuntimeBroker.exe","\\schtasks.exe","\\services.exe","\\sihost.exe","\\smartscreen.exe","\\smss.exe","\\spoolsv.exe","\\svchost.exe","\\taskhost.exe","\\Taskmgr.exe","\\userinit.exe","\\wininit.exe","\\winlogon.exe","\\winver.exe","\\wlanext.exe","\\wscript.exe","\\wsl.exe","\\wsmprovhost.exe", "C:\\$WINDOWS.~BT","C:\\$WinREAgent","C:\\Windows\\SoftwareDistribution","C:\\Windows\\System32","C:\\Windows\\SystemTemp","C:\\Windows\\SysWOW64","C:\\Windows\\uus","C:\\Windows\\WinSxS","\\SystemRoot\\System32")

    Detection Query 5

    technologygroup = "EDR" AND Image in ("\\atbroker.exe","\\audiodg.exe","\\bcdedit.exe","\\bitsadmin.exe","\\certreq.exe","\\certutil.exe","\\cmstp.exe","\\conhost.exe","\\consent.exe","\\cscript.exe","\\csrss.exe","\\dashost.exe","\\defrag.exe","\\dfrgui.exe","\\dism.exe","\\dllhost.exe","\\dllhst3g.exe","\\dwm.exe","\\eventvwr.exe","\\logonui.exe","\\LsaIso.exe","\\lsass.exe","\\lsm.exe","\\msiexec.exe","\\ntoskrnl.exe","\\powershell_ise.exe","\\powershell.exe","\\pwsh.exe","\\regsvr32.exe","\\rundll32.exe","\\runonce.exe","\\RuntimeBroker.exe","\\schtasks.exe","\\services.exe","\\sihost.exe","\\smartscreen.exe","\\smss.exe","\\spoolsv.exe","\\svchost.exe","\\taskhost.exe","\\Taskmgr.exe","\\userinit.exe","\\wininit.exe","\\winlogon.exe","\\winver.exe","\\wlanext.exe","\\wscript.exe","\\wsl.exe","\\wsmprovhost.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe","C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe","\\SystemRoot\\System32")

    Detection Query 6

    technologygroup = "EDR" AND Image in ("\\atbroker.exe","\\audiodg.exe","\\bcdedit.exe","\\bitsadmin.exe","\\certreq.exe","\\certutil.exe","\\cmstp.exe","\\conhost.exe","\\consent.exe","\\cscript.exe","\\csrss.exe","\\dashost.exe","\\defrag.exe","\\dfrgui.exe","\\dism.exe","\\dllhost.exe","\\dllhst3g.exe","\\dwm.exe","\\eventvwr.exe","\\logonui.exe","\\LsaIso.exe","\\lsass.exe","\\lsm.exe","\\msiexec.exe","\\ntoskrnl.exe","\\powershell_ise.exe","\\powershell.exe","\\pwsh.exe","\\regsvr32.exe","\\rundll32.exe","\\runonce.exe","\\RuntimeBroker.exe","\\schtasks.exe","\\services.exe","\\sihost.exe","\\smartscreen.exe","\\smss.exe","\\spoolsv.exe","\\svchost.exe","\\taskhost.exe","\\Taskmgr.exe","\\userinit.exe","\\wininit.exe","\\winlogon.exe","\\winver.exe","\\wlanext.exe","\\wscript.exe","\\wsl.exe","\\wsmprovhost.exe", "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux","\\wsl.exe","\\SystemRoot\\System32")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.