In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes.

ATT&CK Detection

Technique Tactic Level of Coverage
Masquerading Defense Evasion Moderate

Pseudocode

The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

processes = search Process:Create
suspicious_locations = filter process where (
 image_path == "*:\RECYCLER\*" or
 image_path == "*:\SystemVolumeInformation\*" or
 image_path == "%windir%\Tasks\*" or 
 image_path == "%systemroot%\debug\*"
)
output suspicious_locations

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Description:
  • Typically %systemroot% is C:\Windows but you can check this by running “echo %systemdrive%” at the command line.
  • Copy C:\Windows\system32\notepad to C:\Windows\Tasks.
  • Run notepad. The analytic should fire.
  • Delete the executable to clean up from the test.</ol>
  • Commands:
    copy C:\windows\system32\notepad.exe C:\windows\tasks
    start C:\windows\tasks\notepad.exe
    del C:\windows\tasks\notepad.exe
    

Additional Notes:

Monitors the directories

  • *:\RECYCLER
  • *:\SystemVolumeInformation
  • %systemroot%\Tasks
  • %systemroot%\debug

Data Model References

Object Action Field
process create image_path