Suspicious Process Execution from Unusual File Paths

This threat brief addresses the tactic of executing processes from suspicious file paths within Windows environments, a common technique used by adversaries to bypass security controls and execute malicious code without requiring elevated privileges. This activity is often observed in post-exploitation scenarios, where attackers have already gained initial access and are attempting to establish persistence or escalate their privileges. Attackers often leverage these unconventional locations to avoid detection by traditional security solutions that rely on whitelisting or reputation-based analysis. The detection focuses on identifying processes running from paths like \Windows\Fonts\, \Users\Public\, \Windows\Debug\, and others, as these are not typically associated with legitimate software execution. This technique has been associated with malware families like AsyncRAT, RedLine Stealer, and LockBit Ransomware.

Attack Chain

1. Initial access is gained through phishing, exploitation of a vulnerability, or other means.
2. The attacker uploads or creates a malicious executable or script (e.g., PowerShell script) in a suspicious directory such as C:\Windows\Fonts\.
3. The attacker uses a dropper or loader to execute the malicious file. This can be achieved through various methods, including command-line execution or scheduled tasks.
4. The malicious process begins execution from the unusual file path.
5. The process performs malicious activities, such as downloading additional payloads, establishing command and control (C2) communication, or conducting reconnaissance.
6. The attacker leverages the compromised process to escalate privileges or move laterally within the network.
7. Data exfiltration or encryption may occur, depending on the attacker’s objectives.
8. The attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys to ensure the malicious process restarts upon system reboot.

Impact

Successful execution of malicious code from unusual file paths can lead to a variety of negative impacts, including system compromise, data theft, and ransomware infection. Organizations may experience data breaches, financial losses, and reputational damage. The references indicate this technique is associated with various malware families, including information stealers, remote access trojans (RATs), and ransomware, affecting numerous organizations across different sectors.

Recommendation

• Enable process creation logging (Event ID 4688 or Sysmon Event ID 1) to capture process execution events, including the process path, command line, and parent process information to enable the rules below.
• Deploy the Sigma rule “Suspicious Process Executing from Common Non-Executable Paths” to your SIEM to detect processes running from unusual file paths. Tune the rule to filter out any legitimate exceptions in your environment.
• Investigate any alerts generated by the Sigma rule, paying close attention to the process name, command line, and parent process.
• Implement application control policies to restrict the execution of unauthorized software in your environment.
• Monitor network traffic for suspicious outbound connections originating from processes running from unusual file paths.