splApache-2.0from splunk/security_content
System Processes Run From Unexpected Locations
The following analytic identifies system processes running from unexpected locations outside of paths such as `C:\Windows\System32\` or `C:\Windows\SysWOW64`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process paths, names, and hashes. This activity is significant as it may indicate a malicious process attempting to masquerade as a legitimate system process. If confirmed malicious, this behavior could allow an attacker to execute code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/system_processes_run_from_unexpected_locations.yml
| tstats `security_content_summariesonly`
count min(_time) as firstTime max(_time) as lastTime
FROM datamodel=Endpoint.Processes where
NOT Processes.process_path IN (
"*:\\$WINDOWS.~BT\\*",
"*:\\$WinREAgent\\*",
"*:\\Program Files \(x86\)\\Windows Kits\\10\\App Certification Kit\\*",
"*:\\Windows\\SoftwareDistribution\\*",
"*:\\Windows\\System32\\*",
"*:\\Windows\\SystemTemp\\*",
"*:\\Windows\\SysWOW64\\*",
"*:\\Windows\\uus\\*",
"*:\\Windows\\WinSxS\\*"
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile
| search systemFile=true
| `system_processes_run_from_unexpected_locations_filter`