1type: trigger
2name: sigmahq/proc_creation_win_susp_execution_path
3description: |
4  Detects a potentially suspicious execution from an uncommon folder.
5filter: |
6  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image contains ':\\Perflogs\\' || evt.Parsed.Image contains ':\\Users\\All Users\\' || evt.Parsed.Image contains ':\\Users\\Default\\' || evt.Parsed.Image contains ':\\Users\\NetworkService\\' || evt.Parsed.Image contains ':\\Windows\\addins\\' || evt.Parsed.Image contains ':\\Windows\\debug\\' || evt.Parsed.Image contains ':\\Windows\\Fonts\\' || evt.Parsed.Image contains ':\\Windows\\Help\\' || evt.Parsed.Image contains ':\\Windows\\IME\\' || evt.Parsed.Image contains ':\\Windows\\Media\\' || evt.Parsed.Image contains ':\\Windows\\repair\\' || evt.Parsed.Image contains ':\\Windows\\security\\' || evt.Parsed.Image contains ':\\Windows\\System32\\Tasks\\' || evt.Parsed.Image contains ':\\Windows\\Tasks\\' || evt.Parsed.Image contains '$Recycle.bin' || evt.Parsed.Image contains '\\config\\systemprofile\\' || evt.Parsed.Image contains '\\Intel\\Logs\\' || evt.Parsed.Image contains '\\RSA\\MachineKeys\\') && not (evt.Parsed.Image startsWith 'C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\' || evt.Parsed.Image startsWith 'C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\' && evt.Parsed.Image endsWith '\\CitrixReceiverUpdater.exe'))
7blackhole: 2m
8#status: test
9labels:
10  service: windows
11  confidence: 1
12  spoofable: 0
13  classification:
14   - attack.t1036
15
16  label: "Process Execution From A Potentially Suspicious Folder"
17  behavior : "windows:audit"
18  remediation: false
19
20scope:
21  type: ParentProcessId
22  expression: evt.Parsed.ParentProcessId
23
24