Skip to content
Threat Feed
high advisory

Windows System File Execution from Unusual Location

This rule detects the execution of legitimate Windows system binaries from non-standard locations, potentially indicating malicious activity such as malware execution or defense evasion.

This detection identifies instances where common Windows system executables, typically residing in directories like C:\Windows\System32, are executed from unusual or unexpected locations. Attackers may relocate or copy these binaries to bypass application control policies, evade detection, or proxy malicious commands through trusted processes. This activity can be indicative of various threats, including malware execution, privilege escalation, or lateral movement. The detection covers a wide range of system binaries, including powershell.exe, cmd.exe, regsvr32.exe, and others frequently abused by attackers. Several APT groups, including Lazarus and Sidewinder, have been observed leveraging this technique. This detection enhances visibility into anomalous process execution and helps identify potentially malicious behavior that might otherwise go unnoticed.

Attack Chain

  1. An attacker gains initial access to a compromised system (e.g., through phishing or exploiting a vulnerability).
  2. The attacker copies a legitimate Windows system binary (e.g., powershell.exe, certutil.exe) from its original location (e.g., C:\Windows\System32) to a different directory (e.g., C:\Users\Public, C:\ProgramData).
  3. The attacker executes the copied binary from the non-standard location, often with command-line arguments designed to perform malicious actions (e.g., downloading malware, executing scripts, or modifying system settings).
  4. The executed binary, now running from an unusual location, may download a payload from a remote server using tools like certutil.exe.
  5. The downloaded payload is executed, potentially establishing persistence, escalating privileges, or performing other malicious activities.
  6. The attacker uses the system binary to perform reconnaissance, such as gathering user credentials or identifying network resources.
  7. The attacker leverages the system binary to move laterally to other systems on the network, repeating the process of copying and executing the binary from non-standard locations.
  8. The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or disruption of services.

Impact

Successful exploitation can lead to a wide range of impacts, including malware infection, data theft, system compromise, and lateral movement within the network. By executing from unusual locations, attackers can bypass security controls and blend in with legitimate system activity, making detection more difficult. This technique is often used as part of more complex attack chains, potentially affecting hundreds or thousands of systems within an organization. Organizations across all sectors are at risk, particularly those with weak application control policies or limited endpoint detection capabilities.

Recommendation

  • Implement the Sigma rule "System File Execution Location Anomaly" to detect suspicious execution of system binaries from non-standard locations (logsource: process_creation).
  • Enable process creation logging (Event ID 4688 on Windows) to ensure the Sigma rule has the necessary data to function correctly.
  • Investigate any alerts generated by the Sigma rule, focusing on processes that are executed from unusual directories and have suspicious command-line arguments.
  • Implement application control policies to restrict the execution of system binaries to authorized locations.
  • Monitor for modifications to file attributes such as the creation date or modification date in tandem with execution from unusual locations.

Detection coverage 2

Suspicious System File Execution from User Profile

high

Detects execution of system files from user profile directories, which is often a sign of malicious activity.

sigma tactics: defense_evasion techniques: T1036 sources: process_creation, windows

Suspicious CertUtil Execution from Non-Standard Path

medium

Detects certutil.exe execution from a non-standard directory, excluding common update locations.

sigma tactics: defense_evasion techniques: T1036 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →