System File Execution Location Anomaly

    Date: 02/17/2026

    Severity: High

    Summary

    Identifies when a legitimate Windows system executable normally found in the system directory is launched from an unusual or unexpected location.

    Indicators of Compromise (IOC) List

    Image :

    - '\atbroker.exe'

    - '\audiodg.exe'

     - '\bcdedit.exe'

    - '\bitsadmin.exe'

    - '\certreq.exe'

    - '\certutil.exe'

    - '\cmstp.exe'

    - '\conhost.exe'

    - '\consent.exe'

    - '\cscript.exe'

    - '\csrss.exe'

    - '\dashost.exe'

    - '\defrag.exe'

    - '\dfrgui.exe'

    - '\dism.exe'

    - '\dllhost.exe'

    - '\dllhst3g.exe'

    - '\dwm.exe'

    - '\eventvwr.exe'

    - '\finger.exe'

    - '\logonui.exe'

    - '\LsaIso.exe'

    - '\lsass.exe'

    - '\lsm.exe'

    - '\msiexec.exe'

    - '\ntoskrnl.exe'

    - '\powershell_ise.exe'

    - '\powershell.exe'

    - '\pwsh.exe'

    - '\regsvr32.exe'

    - '\rundll32.exe'

    - '\runonce.exe'

    - '\RuntimeBroker.exe'

    - '\schtasks.exe'

    - '\services.exe'

    - '\sihost.exe'

    - '\smartscreen.exe'

    - '\smss.exe'

    - '\spoolsv.exe'

    - '\svchost.exe'

    - '\taskhost.exe'

    - '\taskhostw.exe'

    - '\Taskmgr.exe'

    - '\userinit.exe'

    - '\werfault.exe'

    - '\werfaultsecure.exe'

    - '\wininit.exe'

    - '\winlogon.exe'

    - '\winver.exe'

    - '\wlanext.exe'

    - '\wscript.exe'

    - '\wsl.exe'

    - '\wsmprovhost.exe'

    - 'C:\$WINDOWS.~BT\'

    - 'C:\$WinREAgent\'

    - 'C:\Windows\SoftwareDistribution\

    - 'C:\Windows\System32\'

    - 'C:\Windows\SystemTemp\'

    - 'C:\Windows\SysWOW64\'

    - 'C:\Windows\uus\'

    - 'C:\Windows\WinSxS\'

    - '\SystemRoot\System32\'

    - 'C:\Program Files\PowerShell\7\'

    - 'C:\Program Files\PowerShell\7-preview\'

    - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'

    - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' 

    '\pwsh.exe'

    - 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'

    - 'C:\Program Files\WSL\'

    - '\wsl.exe'

    - C:\Users\'

    '\AppData\Local\Microsoft\WindowsApps\'

    '\wsl.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    resourcename = "Windows Security" and eventtype = "4688" and processname In ("\atbroker.exe","\audiodg.exe","\bcdedit.exe","\bitsadmin.exe","\certreq.exe","\certutil.exe","\cmstp.exe","\conhost.exe","\consent.exe","\cscript.exe","\csrss.exe","\dashost.exe","\defrag.exe","\dfrgui.exe","\dism.exe","\dllhost.exe","\dllhst3g.exe","\dwm.exe","\eventvwr.exe","\finger.exe","\logonui.exe","\LsaIso.exe","\lsass.exe","\lsm.exe","\msiexec.exe","\ntoskrnl.exe","\powershell_ise.exe","\powershell.exe","\pwsh.exe","\regsvr32.exe","\rundll32.exe","\runonce.exe","\RuntimeBroker.exe","\schtasks.exe","\services.exe","\sihost.exe","\smartscreen.exe","\smss.exe","\spoolsv.exe","\svchost.exe","\taskhost.exe","\taskhostw.exe","\Taskmgr.exe","userinit.exe","\werfault.exe","\werfaultsecure.exe","\wininit.exe","\winlogon.exe","\winver.exe","\wlanext.exe","\wscript.exe","\wsl.exe","\wsmprovhost.exe") and processname not in ("C:\$WINDOWS.~BT","C:\$WinREAgent","C:\Windows\SoftwareDistribution","C:\Windows\System32","C:\Windows\SystemTemp","C:\Windows\SysWOW64","C:\Windows\WinSxS","\SystemRoot\System32","C:\Program Files\PowerShell\7","C:\Program Files\PowerShell\7-preview","C:\Program Files\WindowsApps\Microsoft.PowerShellPreview","\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview","\pwsh.exe","C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux","C:\Program Files\WSL","\wsl.exe","C:\Users","\AppData\Local\Microsoft\WindowsApps","\wsl.exe", "C:\\Windows\\uus")

    Detection Query 2 :

    technologygroup = "EDR" and processname In ("\atbroker.exe","\audiodg.exe","\bcdedit.exe","\bitsadmin.exe","\certreq.exe","\certutil.exe","\cmstp.exe","\conhost.exe","\consent.exe","\cscript.exe","\csrss.exe","\dashost.exe","\defrag.exe","\dfrgui.exe","\dism.exe","\dllhost.exe","\dllhst3g.exe","\dwm.exe","\eventvwr.exe","\finger.exe","\logonui.exe","\LsaIso.exe","\lsass.exe","\lsm.exe","\msiexec.exe","\ntoskrnl.exe","\powershell_ise.exe","\powershell.exe","\pwsh.exe","\regsvr32.exe","\rundll32.exe","\runonce.exe","\RuntimeBroker.exe","\schtasks.exe","\services.exe","\sihost.exe","\smartscreen.exe","\smss.exe","\spoolsv.exe","\svchost.exe","\taskhost.exe","\taskhostw.exe","\Taskmgr.exe","userinit.exe","\werfault.exe","\werfaultsecure.exe","\wininit.exe","\winlogon.exe","\winver.exe","\wlanext.exe","\wscript.exe","\wsl.exe","\wsmprovhost.exe") and processname not in ("C:\$WINDOWS.~BT","C:\$WinREAgent","C:\Windows\SoftwareDistribution","C:\Windows\System32","C:\Windows\SystemTemp","C:\Windows\SysWOW64","C:\Windows\WinSxS","\SystemRoot\System32","C:\Program Files\PowerShell\7","C:\Program Files\PowerShell\7-preview","C:\Program Files\WindowsApps\Microsoft.PowerShellPreview","\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview","\pwsh.exe","C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux","C:\Program Files\WSL","\wsl.exe","C:\Users","\AppData\Local\Microsoft\WindowsApps","\wsl.exe", "C:\\Windows\\uus") 

    Reference:     

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml                       


    Tags

    Sigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags