Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference
« Process Creation via Secondary Logon Process Injection - Detected - Elastic Endgame »

Process Execution from an Unusual Directoryedit

Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion
  • Elastic Endgame

Version: 102 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit












Rule queryedit






process where event.type == "start" and /* add suspicious execution
paths here */ process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\
Public\\*.exe","C:\\Windows\\Tasks\\*.exe","C:\\Intel\\*.exe","C:\\AMD
\\Temp\\*.exe","C:\\Windows\\AppReadiness\\*.exe", "C:\\Windows\\Servi
ceState\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\IdentityC
RL\\*.exe","C:\\Windows\\Branding\\*.exe","C:\\Windows\\csc\\*.exe",
"C:\\Windows\\DigitalLocker\\*.exe","C:\\Windows\\en-US\\*.exe","C:\\W
indows\\wlansvc\\*.exe","C:\\Windows\\Prefetch\\*.exe","C:\\Windows\\F
onts\\*.exe", "C:\\Windows\\diagnostics\\*.exe","C:\\Windows\\TAPI\\*
.exe","C:\\Windows\\INF\\*.exe","C:\\Windows\\System32\\Speech\\*.exe"
,"C:\\windows\\tracing\\*.exe", "c:\\windows\\IME\\*.exe","c:\\Window
s\\Performance\\*.exe","c:\\windows\\intel\\*.exe","c:\\windows\\ms\\*
.exe","C:\\Windows\\dot3svc\\*.exe", "C:\\Windows\\panther\\*.exe","C
:\\Windows\\RemotePackages\\*.exe","C:\\Windows\\OCR\\*.exe","C:\\Wind
ows\\appcompat\\*.exe","C:\\Windows\\apppatch\\*.exe","C:\\Windows\\ad
dins\\*.exe", "C:\\Windows\\Setup\\*.exe","C:\\Windows\\Help\\*.exe",
"C:\\Windows\\SKB\\*.exe","C:\\Windows\\Vss\\*.exe","C:\\Windows\\Web\
\*.exe","C:\\Windows\\servicing\\*.exe","C:\\Windows\\CbsTemp\\*.exe",
"C:\\Windows\\Logs\\*.exe","C:\\Windows\\WaaS\\*.exe","C:\\Windows\\Sh
ellExperiences\\*.exe","C:\\Windows\\ShellComponents\\*.exe","C:\\Wind
ows\\PLA\\*.exe", "C:\\Windows\\Migration\\*.exe","C:\\Windows\\debug
\\*.exe","C:\\Windows\\Cursors\\*.exe","C:\\Windows\\Containers\\*.exe
","C:\\Windows\\Boot\\*.exe","C:\\Windows\\bcastdvr\\*.exe", "C:\\Win
dows\\assembly\\*.exe","C:\\Windows\\TextInput\\*.exe","C:\\Windows\\s
ecurity\\*.exe","C:\\Windows\\schemas\\*.exe","C:\\Windows\\SchCache\\
*.exe","C:\\Windows\\Resources\\*.exe", "C:\\Windows\\rescache\\*.exe
","C:\\Windows\\Provisioning\\*.exe","C:\\Windows\\PrintDialog\\*.exe"
,"C:\\Windows\\PolicyDefinitions\\*.exe","C:\\Windows\\media\\*.exe",
"C:\\Windows\\Globalization\\*.exe","C:\\Windows\\L2Schemas\\*.exe","C
:\\Windows\\LiveKernelReports\\*.exe","C:\\Windows\\ModemLogs\\*.exe",
"C:\\Windows\\ImmersiveControlPanel\\*.exe") and not process.name : (
"SpeechUXWiz.exe","SystemSettings.exe","TrustedInstaller.exe","PrintDi
alog.exe","MpSigStub.exe","LMS.exe","mpam-*.exe") and not
process.executable :
("?:\\Intel\\Wireless\\WUSetupLauncher.exe",
"?:\\Intel\\Wireless\\Setup.exe", "?:\\Intel\\Move
Mouse.exe", "?:\\windows\\Panther\\DiagTrackRunner.exe",
"?:\\Windows\\servicing\\GC64\\tzupd.exe",
"?:\\Users\\Public\\res\\RemoteLite.exe",
"?:\\Users\\Public\\IBM\\ClientSolutions\\*.exe",
"?:\\Users\\Public\\Documents\\syspin.exe",
"?:\\Users\\Public\\res\\FileWatcher.exe") /* uncomment once in
winlogbeat */ /* and not (process.code_signature.subject_name ==
"Microsoft Corporation" and process.code_signature.trusted == true) */











Threat mappingedit




Framework: MITRE ATT&CKTM














Rule version historyedit










Version 102 (8.6.0 release)








    

  • 
Formatting only

    • 









Version 101 (8.5.0 release)








    

  • 

    Updated query, changed from:
    

    

    process where event.type in ("start", "process_started", "info") and
/* add suspicious execution paths here */ process.executable : ("C:\\P
erfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Windows\\Tasks\\*.exe"
,"C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe","C:\\Windows\\AppReadiness\
\*.exe", "C:\\Windows\\ServiceState\\*.exe","C:\\Windows\\security\\*.
exe","C:\\Windows\\IdentityCRL\\*.exe","C:\\Windows\\Branding\\*.exe",
"C:\\Windows\\csc\\*.exe",
"C:\\Windows\\DigitalLocker\\*.exe","C:\\Windows\\en-US\\*.exe","C:\\W
indows\\wlansvc\\*.exe","C:\\Windows\\Prefetch\\*.exe","C:\\Windows\\F
onts\\*.exe", "C:\\Windows\\diagnostics\\*.exe","C:\\Windows\\TAPI\\*
.exe","C:\\Windows\\INF\\*.exe","C:\\Windows\\System32\\Speech\\*.exe"
,"C:\\windows\\tracing\\*.exe", "c:\\windows\\IME\\*.exe","c:\\Window
s\\Performance\\*.exe","c:\\windows\\intel\\*.exe","c:\\windows\\ms\\*
.exe","C:\\Windows\\dot3svc\\*.exe", "C:\\Windows\\panther\\*.exe","C
:\\Windows\\RemotePackages\\*.exe","C:\\Windows\\OCR\\*.exe","C:\\Wind
ows\\appcompat\\*.exe","C:\\Windows\\apppatch\\*.exe","C:\\Windows\\ad
dins\\*.exe", "C:\\Windows\\Setup\\*.exe","C:\\Windows\\Help\\*.exe",
"C:\\Windows\\SKB\\*.exe","C:\\Windows\\Vss\\*.exe","C:\\Windows\\Web\
\*.exe","C:\\Windows\\servicing\\*.exe","C:\\Windows\\CbsTemp\\*.exe",
"C:\\Windows\\Logs\\*.exe","C:\\Windows\\WaaS\\*.exe","C:\\Windows\\Sh
ellExperiences\\*.exe","C:\\Windows\\ShellComponents\\*.exe","C:\\Wind
ows\\PLA\\*.exe", "C:\\Windows\\Migration\\*.exe","C:\\Windows\\debug
\\*.exe","C:\\Windows\\Cursors\\*.exe","C:\\Windows\\Containers\\*.exe
","C:\\Windows\\Boot\\*.exe","C:\\Windows\\bcastdvr\\*.exe", "C:\\Win
dows\\assembly\\*.exe","C:\\Windows\\TextInput\\*.exe","C:\\Windows\\s
ecurity\\*.exe","C:\\Windows\\schemas\\*.exe","C:\\Windows\\SchCache\\
*.exe","C:\\Windows\\Resources\\*.exe", "C:\\Windows\\rescache\\*.exe
","C:\\Windows\\Provisioning\\*.exe","C:\\Windows\\PrintDialog\\*.exe"
,"C:\\Windows\\PolicyDefinitions\\*.exe","C:\\Windows\\media\\*.exe",
"C:\\Windows\\Globalization\\*.exe","C:\\Windows\\L2Schemas\\*.exe","C
:\\Windows\\LiveKernelReports\\*.exe","C:\\Windows\\ModemLogs\\*.exe",
"C:\\Windows\\ImmersiveControlPanel\\*.exe") and not process.name : (
"SpeechUXWiz.exe","SystemSettings.exe","TrustedInstaller.exe","PrintDi
alog.exe","MpSigStub.exe","LMS.exe","mpam-*.exe") and not
process.executable :
("?:\\Intel\\Wireless\\WUSetupLauncher.exe",
"?:\\Intel\\Wireless\\Setup.exe", "?:\\Intel\\Move
Mouse.exe", "?:\\windows\\Panther\\DiagTrackRunner.exe",
"?:\\Windows\\servicing\\GC64\\tzupd.exe",
"?:\\Users\\Public\\res\\RemoteLite.exe",
"?:\\Users\\Public\\IBM\\ClientSolutions\\*.exe",
"?:\\Users\\Public\\Documents\\syspin.exe",
"?:\\Users\\Public\\res\\FileWatcher.exe") /* uncomment once in
winlogbeat */ /* and not (process.code_signature.subject_name ==
"Microsoft Corporation" and process.code_signature.trusted == true) */
    

    

    • 









Version 6 (8.4.0 release)








    

  • 

    Updated query, changed from:
    

    

    process where event.type in ("start", "process_started", "info") and
/* add suspicious execution paths here */ process.executable : ("C:\\P
erfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Users\\Default\\*.exe"
,"C:\\Windows\\Tasks\\*.exe","C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe"
,"C:\\Windows\\AppReadiness\\*.exe", "C:\\Windows\\ServiceState\\*.exe
","C:\\Windows\\security\\*.exe","C:\\Windows\\IdentityCRL\\*.exe","C:
\\Windows\\Branding\\*.exe","C:\\Windows\\csc\\*.exe",
"C:\\Windows\\DigitalLocker\\*.exe","C:\\Windows\\en-US\\*.exe","C:\\W
indows\\wlansvc\\*.exe","C:\\Windows\\Prefetch\\*.exe","C:\\Windows\\F
onts\\*.exe", "C:\\Windows\\diagnostics\\*.exe","C:\\Windows\\TAPI\\*
.exe","C:\\Windows\\INF\\*.exe","C:\\Windows\\System32\\Speech\\*.exe"
,"C:\\windows\\tracing\\*.exe", "c:\\windows\\IME\\*.exe","c:\\Window
s\\Performance\\*.exe","c:\\windows\\intel\\*.exe","c:\\windows\\ms\\*
.exe","C:\\Windows\\dot3svc\\*.exe","C:\\Windows\\ServiceProfiles\\*.e
xe", "C:\\Windows\\panther\\*.exe","C:\\Windows\\RemotePackages\\*.ex
e","C:\\Windows\\OCR\\*.exe","C:\\Windows\\appcompat\\*.exe","C:\\Wind
ows\\apppatch\\*.exe","C:\\Windows\\addins\\*.exe", "C:\\Windows\\Set
up\\*.exe","C:\\Windows\\Help\\*.exe","C:\\Windows\\SKB\\*.exe","C:\\W
indows\\Vss\\*.exe","C:\\Windows\\Web\\*.exe","C:\\Windows\\servicing\
\*.exe","C:\\Windows\\CbsTemp\\*.exe", "C:\\Windows\\Logs\\*.exe","C:
\\Windows\\WaaS\\*.exe","C:\\Windows\\twain_32\\*.exe","C:\\Windows\\S
hellExperiences\\*.exe","C:\\Windows\\ShellComponents\\*.exe","C:\\Win
dows\\PLA\\*.exe", "C:\\Windows\\Migration\\*.exe","C:\\Windows\\debu
g\\*.exe","C:\\Windows\\Cursors\\*.exe","C:\\Windows\\Containers\\*.ex
e","C:\\Windows\\Boot\\*.exe","C:\\Windows\\bcastdvr\\*.exe", "C:\\Wi
ndows\\assembly\\*.exe","C:\\Windows\\TextInput\\*.exe","C:\\Windows\\
security\\*.exe","C:\\Windows\\schemas\\*.exe","C:\\Windows\\SchCache\
\*.exe","C:\\Windows\\Resources\\*.exe", "C:\\Windows\\rescache\\*.ex
e","C:\\Windows\\Provisioning\\*.exe","C:\\Windows\\PrintDialog\\*.exe
","C:\\Windows\\PolicyDefinitions\\*.exe","C:\\Windows\\media\\*.exe",
"C:\\Windows\\Globalization\\*.exe","C:\\Windows\\L2Schemas\\*.exe","C
:\\Windows\\LiveKernelReports\\*.exe","C:\\Windows\\ModemLogs\\*.exe",
"C:\\Windows\\ImmersiveControlPanel\\*.exe") and not process.name : (
"SpeechUXWiz.exe","SystemSettings.exe","TrustedInstaller.exe","PrintDi
alog.exe","MpSigStub.exe","LMS.exe","mpam-*.exe") /* uncomment once
in winlogbeat */ /* and not (process.code_signature.subject_name ==
"Microsoft Corporation" and process.code_signature.trusted == true) */
    

    

    • 









Version 4 (8.2.0 release)








    

  • 
Formatting only

    • 









Version 3 (7.12.0 release)








    

  • 
Formatting only

    • 









Version 2 (7.11.2 release)








    

  • 
Formatting only

    • 


















« Process Creation via Secondary Logon


Process Injection - Detected - Elastic Endgame »