Process Execution from Suspicious Windows Directories

This detection identifies process execution from suspicious default Windows directories. Attackers may hide malware in trusted paths to evade defenses, making it difficult for analysts to distinguish between legitimate and malicious activity. The detection focuses on identifying processes running from directories like C:\PerfLogs, C:\Users\Public, and various Windows subdirectories (e.g., C:\Windows\Tasks, C:\Windows\AppReadiness), where executable files are not typically expected to reside. The detection excludes known legitimate processes like SpeechUXWiz.exe, SystemSettings.exe, TrustedInstaller.exe and other Intel and IBM executables to reduce false positives. This technique is often used to bypass security controls or take advantage of existing exceptions applied to these directories. This activity was observed being used by threat actors in the Siestagraph campaign.

Attack Chain

1. An attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker drops a malicious executable into a suspicious directory like C:\Users\Public or C:\Windows\Tasks.
3. The attacker executes the malware from the unusual directory. This might be achieved using cmd.exe or powershell.exe.
4. The executed malware establishes persistence by creating a scheduled task or modifying registry keys.
5. The malware connects to a command-and-control (C2) server to receive further instructions.
6. The C2 server instructs the malware to perform reconnaissance on the network.
7. The malware attempts to move laterally to other systems on the network using techniques like pass-the-hash or exploiting vulnerabilities.
8. The attacker achieves their objective, such as data exfiltration, ransomware deployment, or establishing long-term access to the network.

Impact

Successful exploitation can lead to the execution of arbitrary code, persistence on the system, and further compromise of the network. Attackers can use this technique to bypass security controls and evade detection, potentially leading to data breaches, financial loss, or disruption of services. While the rule itself has a medium severity, the impact of a successful attack using this technique can be severe, depending on the attacker’s objectives and the compromised data.

Recommendation

• Deploy the Sigma rule “Process Execution from Unusual Directory” to your SIEM and tune for your environment to detect suspicious process execution.
• Investigate any alerts generated by the Sigma rule to determine if the process execution is legitimate or malicious.
• Enable process creation logging, specifically Event ID 4688 with command line process auditing, to ensure the Sigma rule has the necessary data to function effectively.
• Review and harden permissions on the listed suspicious directories to prevent unauthorized file creation and execution.
• Block execution of unsigned or untrusted executables from these directories using application control solutions.