Detection: System Process Running from Unexpected Location

Date: 2022-03-24 ID: 28179107-099a-464a-94d3-08301e6c055f Author: Jose Hernadnez, Ignacio Bermudez Corrales, Splunk Type: Anomaly Product: Splunk User Behavior Analytics

Description

An attacker tries might try to use different version of a system command without overriding original, or they might try to avoid some detection running the process from a different folder. This detection checks that a list of system processes run inside C:\Windows\System32 or C:\Windows\SysWOW64 The list of system processes has been extracted from https://github.com/splunk/security_content/blob/develop/lookups/is_windows_system_file.csv and the original detection https://github.com/splunk/security_content/blob/develop/detections/system_processes_run_from_unexpected_locations.yml

Annotations

No annotations available.

Implementation

Collect endpoint data such as sysmon or 4688 events.

Known False Positives

None

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
A system process $process_name$ with commandline $process$ spawn in non-default folder path in host $dest_device_id$	56	70	80

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Version: 8