Detection: System Process Running from Unexpected Location

Description

An attacker tries might try to use different version of a system command without overriding original, or they might try to avoid some detection running the process from a different folder. This detection checks that a list of system processes run inside C:\Windows\System32 or C:\Windows\SysWOW64 The list of system processes has been extracted from https://github.com/splunk/security_content/blob/develop/lookups/is_windows_system_file.csv and the original detection https://github.com/splunk/security_content/blob/develop/detections/system_processes_run_from_unexpected_locations.yml

Annotations

No annotations available.

Implementation

Collect endpoint data such as sysmon or 4688 events.

Known False Positives

None

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
A system process $process_name$ with commandline $process$ spawn in non-default folder path in host $dest_device_id$ 56 70 80
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Version: 9