In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes.
|Technique||Tactic||Level of Coverage|
The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.
processes = search Process:Create suspicious_locations = filter process where ( image_path == "*:\RECYCLER\*" or image_path == "*:\SystemVolumeInformation\*" or image_path == "%windir%\Tasks\*" or image_path == "%systemroot%\debug\*" ) output suspicious_locations
Test Case 1:
- Configurations: Windows 7
- Typically %systemroot% is C:\Windows but you can check this by running “echo %systemdrive%” at the command line.
- Copy C:\Windows\system32\notepad to C:\Windows\Tasks.
- Run notepad. The analytic should fire.
- Delete the executable to clean up from the test.</ol>
copy C:\windows\system32\notepad.exe C:\windows\tasks start C:\windows\tasks\notepad.exe del C:\windows\tasks\notepad.exe
Monitors the directories
Data Model References