Common Filename Launched from New Path

Description

Simpler malware will hide in plain sight with a filename like explorer.exe, running in the user profile. This detection will look for new paths, for common / expected executables. (MITRE CAR Reference)

(for most companies)


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Security Impact

There are certain processes that everyone expects to see running on their Windows hosts, like iexplore.exe or svchost.exe. But they’re supposed to run from very specific places. This fairly simple search looks to find when legitimate looking filenames are found running, but out of unusual paths never seen before.

Alert Volume

Very Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Masquerading

MITRE Threat Groups

APT1
APT32
APT41
BRONZE BUTLER
Carbanak
Dragonfly 2.0
FIN6
FIN7
Ke3chang
MuddyWater
PLATINUM
Patchwork
Poseidon Group
Scarlet Mimic
Soft Cell
Sowbug
TEMP.Veles
admin@338
menuPass

Kill Chain Phases

Installation
Actions on Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

This search should almost never fire, except for suspicious events, as it's virtually guaranteed that any events firing are specifically trying to deceive the operator.

   How To Respond

When this search returns values, initiate your incident response process and identify the system demonstrating this behavior. Determine the time, process and parent process that is being executed and by what account on the system. Contact the user and system owner to determine if it is authorized, and make a note that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted to determine why an executable is starting from a path not previously executed from.

   Help

Common Filename Launched from New Path Help

This example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of process launch events (Event ID 4688) filtered for known good filenames, running from atypical directories. We find the first time that filename has launched from that path, and then alert if that was in the last day.

SPL for Common Filename Launched from New Path

Demo Data

First we pull in our demo dataset.
Then we filter for the individual launches of common windows filenames.
Earlier versions of Sysmon didn't extract a filename by default, so we are adding that in here.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

First we pull in our dataset of Windows process launch logs filtered to our common Windows executables, care of EventID 4688 documented in this app. Any other EDR solution giving process launch logs will suffice here, as well. Notably, this technique of doing the value and then the field=value can bypass some quirks around field extractions, and make searches faster for very large datasets (though that's an area of active work, and it's less true every year).
Earlier versions of Sysmon didn't extract a filename by default, so we are adding that in here.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.