Detection: System Process Running from Unexpected Location
Description
An attacker tries might try to use different version of a system command without overriding original, or they might try to avoid some detection running the process from a different folder. This detection checks that a list of system processes run inside C:\Windows\System32 or C:\Windows\SysWOW64 The list of system processes has been extracted from https://github.com/splunk/security_content/blob/develop/lookups/is_windows_system_file.csv and the original detection https://github.com/splunk/security_content/blob/develop/detections/system_processes_run_from_unexpected_locations.yml
Annotations
No annotations available.
Implementation
Collect endpoint data such as sysmon or 4688 events.
Known False Positives
None
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
A system process $process_name$ with commandline $process$ spawn in non-default folder path in host $dest_device_id$ | 56 | 70 | 80 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Version: 9