IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Execution from Unusual Directory - Command Line
editExecution from Unusual Directory - Command Line
editIdentifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Execution
Version: 4 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.13.0
Rule authors: Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
This is related to the Process Execution from an Unusual Directory rule
.
Rule query
editprocess where event.type in ("start", "process_started", "info") and process.name : ("wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "cmstp.exe", "RegAsm.exe", "installutil.exe", "mshta.exe", "RegSvcs.exe", "powershell.exe", "pwsh.exe", "cmd.exe") and /* add suspicious execution paths here */ process.args : ("C:\\PerfLogs\\*", "C:\\Users\\Public\\*", "C:\\Users\\Default\\*", "C:\\Windows\\Tasks\\*", "C:\\Intel\\*", "C:\\AMD\\Temp\\*", "C:\\Windows\\AppReadiness\\*", "C:\\Windows\\ServiceState\\*", "C:\\Windows\\security\\*", "C:\\Windows\\IdentityCRL\\*", "C:\\Windows\\Branding\\*", "C:\\Windows\\csc\\*", "C:\\Windows\\DigitalLocker\\*", "C:\\Windows\\en- US\\*", "C:\\Windows\\wlansvc\\*", "C:\\Windows\\Prefetch\\*", "C:\\Windows\\Fonts\\*", "C:\\Windows\\diagnostics\\*", "C:\\Windows\\TAPI\\*", "C:\\Windows\\INF\\*", "C:\\Windows\\System32\\Speech\\*", "C:\\windows\\tracing\\*", "c:\\windows\\IME\\*", "c:\\Windows\\Performance\\*", "c:\\windows\\intel\\*", "c:\\windows\\ms\\*", "C:\\Windows\\dot3svc\\*", "C:\\Windows\\ServiceProfiles\\*", "C:\\Windows\\panther\\*", "C:\\Windows\\RemotePackages\\*", "C:\\Windows\\OCR\\*", "C:\\Windows\\appcompat\\*", "C:\\Windows\\apppatch\\*", "C:\\Windows\\addins\\*", "C:\\Windows\\Setup\\*", "C:\\Windows\\Help\\*", "C:\\Windows\\SKB\\*", "C:\\Windows\\Vss\\*", "C:\\Windows\\Web\\*", "C:\\Windows\\servicing\\*", "C:\\Windows\\CbsTemp\\*", "C:\\Windows\\Logs\\*", "C:\\Windows\\WaaS\\*", "C:\\Windows\\twain_32\\*", "C:\\Windows\\ShellExperiences\\*", "C:\\Windows\\ShellComponents\\*", "C:\\Windows\\PLA\\*", "C:\\Windows\\Migration\\*", "C:\\Windows\\debug\\*", "C:\\Windows\\Cursors\\*", "C:\\Windows\\Containers\\*", "C:\\Windows\\Boot\\*", "C:\\Windows\\bcastdvr\\*", "C:\\Windows\\assembly\\*", "C:\\Windows\\TextInput\\*", "C:\\Windows\\security\\*", "C:\\Windows\\schemas\\*", "C:\\Windows\\SchCache\\*", "C:\\Windows\\Resources\\*", "C:\\Windows\\rescache\\*", "C:\\Windows\\Provisioning\\*", "C:\\Windows\\PrintDialog\\*", "C:\\Windows\\PolicyDefinitions\\*", "C:\\Windows\\media\\*", "C:\\Windows\\Globalization\\*", "C:\\Windows\\L2Schemas\\*", "C:\\Windows\\LiveKernelReports\\*", "C:\\Windows\\ModemLogs\\*", "C:\\Windows\\ImmersiveControlPanel\\*", "C:\\$Recycle.Bin\\*") and not process.parent.executable : ("C:\\WIN DOWS\\System32\\DriverStore\\FileRepository\\*\\igfxCUIService*.exe", "C:\\Windows\\System32\\spacedeskService.exe", "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe") and not (process.name : "rundll32.exe" and process.args : ("uxtheme.dll,#64", "PRINTUI.DLL,PrintUIEntry"))
Rule version history
edit- Version 4 (7.13.0 release)
-
-
Updated query, changed from:
process where event.type in ("start", "process_started", "info") and process.name : ("wscript.exe","cscript.exe","rundll32.exe","regsvr32.e xe","cmstp.exe","RegAsm.exe","installutil.exe","mshta.exe","RegSvcs.ex e", "powershell.exe", "pwsh.exe", "cmd.exe") and /* add suspicious execution paths here */ process.args : ("C:\\PerfLogs\\*","C:\\Users\\ Public\\*","C:\\Users\\Default\\*","C:\\Windows\\Tasks\\*","C:\\Intel\ \*", "C:\\AMD\\Temp\\*", "C:\\Windows\\AppReadiness\\*", "C:\\Window s\\ServiceState\\*","C:\\Windows\\security\\*","C:\\Windows\\IdentityC RL\\*","C:\\Windows\\Branding\\*","C:\\Windows\\csc\\*", "C:\\Windows\\DigitalLocker\\*","C:\\Windows\\en-US\\*","C:\\Windows\\ wlansvc\\*","C:\\Windows\\Prefetch\\*","C:\\Windows\\Fonts\\*", "C:\\ Windows\\diagnostics\\*","C:\\Windows\\TAPI\\*","C:\\Windows\\INF\\*", "C:\\Windows\\System32\\Speech\\*","C:\\windows\\tracing\\*", "c:\\wi ndows\\IME\\*","c:\\Windows\\Performance\\*","c:\\windows\\intel\\*"," c:\\windows\\ms\\*","C:\\Windows\\dot3svc\\*","C:\\Windows\\ServicePro files\\*", "C:\\Windows\\panther\\*","C:\\Windows\\RemotePackages\\*" ,"C:\\Windows\\OCR\\*","C:\\Windows\\appcompat\\*","C:\\Windows\\apppa tch\\*","C:\\Windows\\addins\\*", "C:\\Windows\\Setup\\*","C:\\Window s\\Help\\*","C:\\Windows\\SKB\\*","C:\\Windows\\Vss\\*","C:\\Windows\\ Web\\*","C:\\Windows\\servicing\\*","C:\\Windows\\CbsTemp\\*", "C:\\W indows\\Logs\\*","C:\\Windows\\WaaS\\*","C:\\Windows\\twain_32\\*","C: \\Windows\\ShellExperiences\\*","C:\\Windows\\ShellComponents\\*","C:\ \Windows\\PLA\\*", "C:\\Windows\\Migration\\*","C:\\Windows\\debug\\* ","C:\\Windows\\Cursors\\*","C:\\Windows\\Containers\\*","C:\\Windows\ \Boot\\*","C:\\Windows\\bcastdvr\\*", "C:\\Windows\\assembly\\*","C:\ \Windows\\TextInput\\*","C:\\Windows\\security\\*","C:\\Windows\\schem as\\*","C:\\Windows\\SchCache\\*","C:\\Windows\\Resources\\*", "C:\\W indows\\rescache\\*","C:\\Windows\\Provisioning\\*","C:\\Windows\\Prin tDialog\\*","C:\\Windows\\PolicyDefinitions\\*","C:\\Windows\\media\\* ", "C:\\Windows\\Globalization\\*","C:\\Windows\\L2Schemas\\*","C:\\W indows\\LiveKernelReports\\*","C:\\Windows\\ModemLogs\\*","C:\\Windows \\ImmersiveControlPanel\\*", "C:\\$Recycle.Bin\\*")
-
- Version 3 (7.12.0 release)
-
-
Updated query, changed from:
process where event.type in ("start", "process_started", "info") and process.name : ("wscript.exe","cscript.exe","rundll32.exe","regsvr32.e xe","cmstp.exe","RegAsm.exe","installutil.exe","mshta.exe","RegSvcs.ex e") and /* add suspicious execution paths here */ process.args : ("C: \\PerfLogs\\*","C:\\Users\\Public\\*","C:\\Users\\Default\\*","C:\\Win dows\\Tasks\\*","C:\\Intel\\*", "C:\\AMD\\Temp\\*", "C:\\Windows\\AppReadiness\\*", "C:\\Windows\\ServiceState\\*","C:\\Wi ndows\\security\\*","C:\\Windows\\IdentityCRL\\*","C:\\Windows\\Brandi ng\\*","C:\\Windows\\csc\\*", "C:\\Windows\\DigitalLocker\\*","C:\\Windows\\en-US\\*","C:\\Windows\\ wlansvc\\*","C:\\Windows\\Prefetch\\*","C:\\Windows\\Fonts\\*", "C:\\ Windows\\diagnostics\\*","C:\\Windows\\TAPI\\*","C:\\Windows\\INF\\*", "C:\\Windows\\System32\\Speech\\*","C:\\windows\\tracing\\*", "c:\\wi ndows\\IME\\*","c:\\Windows\\Performance\\*","c:\\windows\\intel\\*"," c:\\windows\\ms\\*","C:\\Windows\\dot3svc\\*","C:\\Windows\\ServicePro files\\*", "C:\\Windows\\panther\\*","C:\\Windows\\RemotePackages\\*" ,"C:\\Windows\\OCR\\*","C:\\Windows\\appcompat\\*","C:\\Windows\\apppa tch\\*","C:\\Windows\\addins\\*", "C:\\Windows\\Setup\\*","C:\\Window s\\Help\\*","C:\\Windows\\SKB\\*","C:\\Windows\\Vss\\*","C:\\Windows\\ Web\\*","C:\\Windows\\servicing\\*","C:\\Windows\\CbsTemp\\*", "C:\\W indows\\Logs\\*","C:\\Windows\\WaaS\\*","C:\\Windows\\twain_32\\*","C: \\Windows\\ShellExperiences\\*","C:\\Windows\\ShellComponents\\*","C:\ \Windows\\PLA\\*", "C:\\Windows\\Migration\\*","C:\\Windows\\debug\\* ","C:\\Windows\\Cursors\\*","C:\\Windows\\Containers\\*","C:\\Windows\ \Boot\\*","C:\\Windows\\bcastdvr\\*", "C:\\Windows\\assembly\\*","C:\ \Windows\\TextInput\\*","C:\\Windows\\security\\*","C:\\Windows\\schem as\\*","C:\\Windows\\SchCache\\*","C:\\Windows\\Resources\\*", "C:\\W indows\\rescache\\*","C:\\Windows\\Provisioning\\*","C:\\Windows\\Prin tDialog\\*","C:\\Windows\\PolicyDefinitions\\*","C:\\Windows\\media\\* ", "C:\\Windows\\Globalization\\*","C:\\Windows\\L2Schemas\\*","C:\\W indows\\LiveKernelReports\\*","C:\\Windows\\ModemLogs\\*","C:\\Windows \\ImmersiveControlPanel\\*")
-
- Version 2 (7.11.2 release)
-
- Formatting only