Skip to content

Hide Navigation Hide TOC

Files With System Process Name In Unsuspected Locations (d5866ddf-ce8f-4aea-b28e-d96485a20d3d)

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Cluster A Galaxy A Cluster B Galaxy B Level
Files With System Process Name In Unsuspected Locations (d5866ddf-ce8f-4aea-b28e-d96485a20d3d) Sigma-Rules Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2