Summary
This detection rule identifies suspicious process execution from uncommon Windows directories, which may indicate potential malware hiding within trusted paths. Adversaries often exploit standard directory paths to obfuscate malicious activities, thus making detection challenging. The rule employs EQL (Event Query Language) to monitor process events originating from the Windows operating system and to match execution chains with established suspicious paths. Critical investigation steps include analyzing the process tree for unknown processes, correlating DNS cache entries, and evaluating service characteristics via Osquery queries for further insights into executing processes.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Windows Registry
- Application Log
- Network Traffic
- File
ATT&CK Techniques
- T1059
- T1059.003
- T1036
- T1036.005
Created: 2020-10-30