Detection: System Process Running from Unexpected Location

Date: 2025-03-19 ID: 28179107-099a-464a-94d3-08301e6c055f Author: Jose Hernandez, Ignacio Bermudez Corrales, Rod Soto, Nasreddine Bencherchali, Splunk Type: Anomaly Product: Splunk User Behavior Analytics

Description

An attacker may try to use different version of a system command without overriding the original, or they may try to evade detection by running the process from a different folder. This detection checks that a list of system processes only run inside C:\Windows\System32 or C:\Windows\SysWOW64. The list of system processes has been extracted from https://github.com/splunk/security_content/blob/develop/lookups/is_windows_system_file.csv and the original detection https://github.com/splunk/security_content/blob/develop/detections/system_processes_run_from_unexpected_locations.yml

Annotations

No annotations available.

Implementation

Collect endpoint data such as sysmon or 4688 events.

Known False Positives

None

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
A system process $process_file_name$ was launched from the $process_cmd_line$ command line on host $device_hostname$. This location does not match the expected path for this processs.	56	70	80

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://github.com/splunk/security_content/blob/develop/detections/endpoint/system_processes_run_from_unexpected_locations.yml

Version: 11