Process Execution from Unusual Windows Directories
Adversaries may execute processes from unusual Windows directories to masquerade malware as legitimate software and evade defenses.
This detection rule, sourced from Elastic, aims to identify instances where executable files are launched from atypical directories within a Windows operating system. Attackers often leverage this technique, documented since at least 2020, to conceal malicious payloads within seemingly benign or trusted file paths. By placing malware in locations such as C:\PerfLogs\ or C:\Windows\Tasks\, adversaries aim to bypass security measures that might otherwise flag suspicious activity. The scope of this technique spans across various Windows versions, making it a broadly applicable evasion tactic for attackers attempting to blend malicious processes with legitimate system activities. The Elastic rule, last updated in April 2026, incorporates an EQL query across multiple log sources to identify this behavior.
Attack Chain
- An attacker gains initial access to a Windows system (e.g., via phishing or exploit).
- The attacker uploads a malicious executable to a suspicious directory like
C:\Users\Public\orC:\Windows\Tasks\. - The attacker uses a dropper or other execution method (e.g., scheduled task) to initiate the malicious executable.
- The malicious process begins execution from the unusual directory.
- The process attempts to establish an outbound network connection, potentially for command and control (C2).
- The process may attempt to modify registry keys to establish persistence.
- The process may attempt to escalate privileges or perform lateral movement within the network.
- The attacker achieves their objective, such as data exfiltration or establishing a persistent foothold.
Impact
Successful exploitation allows attackers to execute malicious code while potentially bypassing security controls that rely on file path reputation. This can lead to data theft, system compromise, or the establishment of a persistent backdoor. The impact is widespread, affecting any Windows environment where users or automated processes can introduce executable files into these unusual directories. The number of potential victims is high, spanning across multiple sectors and industries.
Recommendation
- Deploy the Sigma rule
Suspicious Process Execution from Unusual Windows Directoriesto your SIEM and tune for your environment. - Enable process creation logging with command line arguments via Windows Security Event Logs or Sysmon to provide data for the Sigma rule.
- Investigate any alerts generated by the Sigma rule
Suspicious Process Execution from Unusual Windows Directoriesto determine if the activity is legitimate or malicious. - Review and harden permissions on the listed directories to prevent unauthorized file creation.
Detection coverage 1
Suspicious Process Execution from Unusual Windows Directories
mediumDetects process execution from suspicious default Windows directories, often used to hide malware.
Detection queries are available on the platform. Get full rules →