{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/process-execution/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","windows","process-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies instances of process execution originating from suspicious default Windows directories. Attackers often exploit these locations to conceal malware, leveraging the implicit trust associated with system or application paths to evade security measures. This tactic is employed to make malicious executions appear less conspicuous. The rule focuses on detecting specific processes, including \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, and others, when they are executed from unusual directories, such as \u003ccode\u003eC:\\\\PerfLogs\\\\\u003c/code\u003e, \u003ccode\u003eC:\\\\Users\\\\Public\\\\\u003c/code\u003e, and \u003ccode\u003eC:\\\\Windows\\\\Tasks\\\\\u003c/code\u003e. The intent is to highlight anomalous process behaviors that deviate from expected norms, providing early warning of potential malicious activity. The detection logic also includes filters to reduce false positives by excluding known legitimate executables and command line arguments from the specified directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or drops a malicious payload into a suspicious directory like \u003ccode\u003eC:\\\\Users\\\\Public\\\\\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\Tasks\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a legitimate Windows utility such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, or \u003ccode\u003ewscript.exe\u003c/code\u003e to execute the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe executed script or binary performs malicious actions, such as establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to evade detection by masquerading the malicious activity as legitimate system processes.\u003c/li\u003e\n\u003cli\u003eThe malware may attempt to communicate with a command-and-control server.\u003c/li\u003e\n\u003cli\u003eThe malware may perform lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective of the attacker is to exfiltrate sensitive data or cause damage to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware infection, data compromise, and system instability. Attackers can establish persistent access, escalate privileges, and perform lateral movement within the network. The impact ranges from minor disruptions to significant data breaches depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization. The targeted sectors are broad, as this technique is applicable across various industries and organizational sizes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution from Unusual Directory - Command Line\u0026rdquo; to your SIEM and tune for your environment to detect suspicious process executions from unusual directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to provide the necessary data for the Sigma rule (reference log source in rule).\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of suspicious directories in the Sigma rule to reflect changes in your environment.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications from unusual directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-03-execution-from-unusual-directory/","summary":"This rule identifies process execution from suspicious default Windows directories, which adversaries may abuse to hide malware in trusted paths to evade defenses.","title":"Execution from Unusual Directory - Command Line","url":"https://feed.craftedsignal.io/briefs/2024-01-03-execution-from-unusual-directory/"}],"language":"en","title":"CraftedSignal Threat Feed — Process-Execution","version":"https://jsonfeed.org/version/1.1"}