title: Suspicious Service Binary Directory
author: Florian Roth
date: 2021/03/09
description: Detects a service binary running in a suspicious directory
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image:
    - '*\Users\Public\\*'
    - '*\$Recycle.bin*'
    - '*\Users\All Users\\*'
    - '*\Users\Default\\*'
    - '*\Users\Contacts\\*'
    - '*\Users\Searches\\*'
    - '*C:\Perflogs\\*'
    - '*\config\systemprofile\\*'
    - '*\Windows\Fonts\\*'
    - '*\Windows\IME\\*'
    - '*\Windows\addins\\*'
  SELECTION_3:
    ParentImage:
    - '*\services.exe'
    - '*\svchost.exe'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 883faa95-175a-4e22-8181-e5761aeb373c
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
status: experimental
tags:
- attack.defense_evasion
- attack.t1202
ruletype: SIGMA