System Process Executables Created in Unusual Locations
The creation of executable files masquerading as legitimate Windows system processes in non-standard directories indicates potential malware installation or defense evasion tactics by threat actors.
Adversaries may attempt to evade detection by creating or copying executables with names that mimic legitimate Windows system processes (e.g., explorer.exe, powershell.exe, svchost.exe) in directories where they are not typically found. This technique can be used to disguise malicious payloads, making them appear as part of the normal operating system. This activity is often seen after initial access has been established and the attacker is attempting to establish persistence or execute further malicious code. Detecting the creation of these files in unexpected locations, outside of standard system directories, is a crucial step in identifying potential threats. Initial baselining is highly recommended to reduce false positives due to legitimate software installations.
Attack Chain
- Initial Access: The attacker gains initial access through an undisclosed method (e.g., exploiting a vulnerability or using stolen credentials).
- Payload Delivery: A malicious payload is delivered to the system, often dropped in a temporary or user-writable directory.
- File Creation: The attacker creates a copy of a legitimate system process executable (e.g.,
powershell.exe) in a non-standard location. - Masquerading: The malicious copy is named to match a legitimate system process executable.
- Persistence: The attacker establishes persistence by creating a scheduled task or modifying a registry key to execute the malicious copy.
- Execution: The malicious copy is executed, performing its intended actions (e.g., downloading additional malware, establishing command and control).
- Privilege Escalation: The attacker attempts to escalate privileges to gain higher-level access to the system.
- Lateral Movement: The attacker moves laterally to other systems on the network, repeating the process.
Impact
Successful exploitation allows attackers to execute arbitrary code, establish persistence, and potentially compromise the entire system or network. The use of masquerading techniques makes it more difficult for security tools and administrators to detect malicious activity. Depending on the compromised system, the impact could range from data theft to complete system compromise and disruption of services. It is difficult to estimate the number of potential victims.
Recommendation
- Enable file creation logging and monitor for the creation of executable files with system process names in non-standard directories, as highlighted in the Sigma rule "Files With System Process Name In Unsuspected Locations".
- Perform an initial baseline of your environment to identify legitimate instances of system process executables in non-standard locations before deploying the Sigma rules.
- Deploy the Sigma rules provided in this brief to your SIEM and tune for your specific environment.
- Investigate any alerts generated by the Sigma rules to determine the legitimacy of the file creation event.
Detection coverage 3
Detect System Process Executables Created in Non-Standard Locations
mediumDetects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.)
Detect TiWorker.exe Creation in Temp Directory
mediumDetects the creation of TiWorker.exe in the Windows Temp directory
Detect Explorer.exe Creation in Windows Directory
mediumDetects the creation of Explorer.exe in the Windows directory
Detection queries are available on the platform. Get full rules →