windows_suspicious_process_file_path.yml

name: Windows Suspicious Process File Path
id: ecddae4e-3d4b-41e2-b3df-e46a88b38521
version: 18
date: '2025-12-10'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic identifies processes running from file paths
  not typically associated with legitimate software. It leverages data from 
  Endpoint Detection and Response (EDR) agents, focusing on specific process 
  paths within the Endpoint data model. This activity is significant because 
  adversaries often use unconventional file paths to execute malicious code 
  without requiring administrative privileges. If confirmed malicious, this 
  behavior could indicate an attempt to bypass security controls, leading to 
  unauthorized software execution, potential system compromise, and further 
  malicious activities within the environment.
data_source:
- Sysmon EventID 1
- Windows Event Log Security 4688
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
  as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
  as lastTime from datamodel=Endpoint.Processes where Processes.process_path IN("*\\windows\\fonts\\*",
  "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
  "*Recycle.bin*", "*\\Windows\\Media\\*","\\Windows\\repair\\*", "*\\PerfLogs\\*",
  "*:\\Windows\\Prefetch\\*", "*:\\Windows\\Cursors\\*", "*:\\Windows\\INF\\*") AND
  NOT(Processes.process_path IN ("*\\temp\\*")) by Processes.action Processes.dest
  Processes.original_file_name Processes.parent_process Processes.parent_process_exec
  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
  | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
  | `windows_suspicious_process_file_path_filter`'
how_to_implement: The detection is based on data that originates from Endpoint 
  Detection and Response (EDR) agents. These agents are designed to provide 
  security-related telemetry from the endpoints where the agent is installed. To
  implement this search, you must ingest logs that contain the process GUID, 
  process name, and parent process. Additionally, you must ingest complete 
  command-line executions. These logs must be processed using the appropriate 
  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
  Splunk Common Information Model (CIM) to normalize the field names and speed 
  up the data modeling process.
known_false_positives: Administrators may allow execution of specific binaries 
  in non-standard paths. Filter as needed.
references:
- https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://twitter.com/pr0xylife/status/1590394227758104576
- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
drilldown_searches:
- name: View the detection results for - "$dest$"
  search: '%original_detection_search% | search  dest = "$dest$"'
  earliest_offset: $info_min_time$
  latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`'
  earliest_offset: $info_min_time$
  latest_offset: $info_max_time$
rba:
  message: Suspicious process $process_name$ running from a suspicious process 
    path- $process_path$ on host- $dest$
  risk_objects:
  - field: dest
    type: system
    score: 60
  threat_objects:
  - field: process_path
    type: process_name
tags:
  analytic_story:
  - PlugX
  - Water Gamayun
  - Warzone RAT
  - Swift Slicer
  - Data Destruction
  - AgentTesla
  - LockBit Ransomware
  - Volt Typhoon
  - Brute Ratel C4
  - WhisperGate
  - Industroyer2
  - DarkGate Malware
  - ValleyRAT
  - XMRig
  - Chaos Ransomware
  - Hermetic Wiper
  - Remcos
  - Quasar RAT
  - Rhysida Ransomware
  - DarkCrystal RAT
  - Qakbot
  - China-Nexus Threat Activity
  - XWorm
  - IcedID
  - CISA AA23-347A
  - Azorult
  - Handala Wiper
  - Salt Typhoon
  - Earth Alux
  - Double Zero Destructor
  - Trickbot
  - Malicious Inno Setup Loader
  - BlackByte Ransomware
  - SystemBC
  - Phemedrone Stealer
  - Graceful Wipe Out Attack
  - Prestige Ransomware
  - Amadey
  - AsyncRAT
  - RedLine Stealer
  - SnappyBee
  - Meduza Stealer
  - MoonPeak
  - Interlock Ransomware
  - Interlock Rat
  - NailaoLocker Ransomware
  - PromptLock
  - GhostRedirector IIS Module and Rungan Backdoor
  - Lokibot
  - Castle RAT
  - SesameOp
  asset_type: Endpoint
  mitre_attack_id:
  - T1543
  - T1036.005
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  security_domain: endpoint
tests:
- name: True Positive Test
  attack_data:
  - data: 
      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log
    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
    sourcetype: XmlWinEventLog