Windows Suspicious Process Execution from Unusual File Paths
Adversaries may execute malicious processes from unusual file paths (e.g., within Windows, Users, or Recycle Bin directories) to evade defenses and potentially compromise systems.
This threat brief focuses on the execution of processes from suspicious or unusual file paths on Windows systems, a common tactic used by adversaries to bypass security controls and execute malicious code. Attackers often place malware in directories like C:\Windows\Fonts, C:\Users\Public, or the Recycle Bin, as these locations are less likely to be closely monitored. This technique allows for the execution of unauthorized software, potentially leading to system compromise, data exfiltration, or further malicious activities within the environment. The referenced reports detail instances where malware like AsyncRAT, various stealers, and ransomware variants were deployed using such methods. Defenders should prioritize monitoring process execution from atypical locations to detect and prevent such attacks.
Attack Chain
- Initial Access: The attacker gains initial access through an unknown vector (e.g., drive-by download, exploiting a vulnerability, or social engineering).
- Payload Delivery: A malicious executable or script (e.g., a PowerShell script) is deposited in a suspicious directory such as
C:\Users\Public\orC:\Windows\Temp\. - Persistence (Optional): The attacker establishes persistence by creating a scheduled task or modifying a registry key to execute the payload upon system startup or user logon.
- Execution: The malicious executable or script is executed using a legitimate Windows process such as
cmd.exeorpowershell.exe, or directly by the user. - Defense Evasion: The attacker employs techniques to evade detection, such as obfuscation, process injection, or running the malicious code from a trusted directory.
- Command and Control: The executed malware establishes a connection to a remote command-and-control (C2) server to receive further instructions.
- Lateral Movement (Optional): The attacker attempts to move laterally to other systems within the network by exploiting vulnerabilities or using stolen credentials.
- Impact: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or disruption of services.
Impact
Successful exploitation can lead to significant damage, including data theft, system compromise, and ransomware infections. While the exact number of victims is unknown, this technique has been observed in various campaigns involving malware such as stealers, remote access trojans (RATs) like AsyncRAT, and ransomware. Industries that are commonly targeted by these types of attacks include healthcare, finance, and critical infrastructure. The impact could range from financial losses and reputational damage to disruption of essential services.
Recommendation
- Enable Sysmon process-creation logging to capture detailed information about process executions, including file paths (Sysmon EventID 1).
- Deploy the Sigma rule "Suspicious Process Executed from Recycle Bin" to detect processes running directly from the Recycle Bin directory (logsource: process_creation).
- Deploy the Sigma rule "Suspicious Process Executed from Windows Fonts Directory" to detect processes running directly from the Windows Fonts directory (logsource: process_creation).
- Investigate any alerts generated by these rules, focusing on processes with unusual parent-child relationships or command-line arguments.
Detection coverage 3
Suspicious Process Executed from Recycle Bin
highDetects processes running directly from the Recycle Bin, which is highly unusual and often indicative of malicious activity.
Suspicious Process Executed from Windows Fonts Directory
highDetects processes running directly from the Windows Fonts directory, which is an unexpected location for executable files.
Suspicious Process Executed from Public User Directory
mediumDetects processes running directly from the Public user directory, often used for initial payload storage.
Detection queries are available on the platform. Get full rules →