Familiar Filename Launched with New Path on Host

Description

Processes are typically launched from the same path. When those paths change, it can be a malicious process masquerading as a valid one, to hide in task manager. (MITRE CAR Reference)


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Security Impact

A common technique employed by malware is to have a benign looking executable launch out of an unusual directory. Normal executions for the file will come out of a standard operating system path, but when we see the same filename launched out of multiple paths, it is time to investigate. Process whitelisting or lookup tables containing names of known-good executables can provide further fidelity here.

Alert Volume

Medium (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Masquerading

MITRE Threat Groups

APT1
APT32
APT41
BRONZE BUTLER
Carbanak
Dragonfly 2.0
FIN6
FIN7
Ke3chang
MuddyWater
PLATINUM
Patchwork
Poseidon Group
Scarlet Mimic
Soft Cell
Sowbug
TEMP.Veles
admin@338
menuPass

Kill Chain Phases

Installation
Actions on Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

This search should very rarely generate false positives. In testing, it has been seen that the base search will detect several executables that launch from both an x64 path and x86 path, but because the search has a behavioral component, we will only alert on this if it occurs for the first time.

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the event, executable, its associated path, the system, user and other pertinent information. Contact the owner of the systems. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials have been used by another party and additional investigation is warranted to determine why common files are launching from a different path.

   Help

Familiar Filename Launched with New Path on Host Help

This example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of process launch events (Event ID 4688). Then we separate the filename from the file path, and look to see if the same filename (e.g., svchost.exe) is run from multiple places by using dc(Image) by filename (where Image is the full path). For each file with multiple paths, we check to see if the the first time that occurred was in the last day.

SPL for Familiar Filename Launched with New Path on Host

Demo Data

First we pull in our demo dataset.
Earlier versions of Sysmon didn't extract a filename by default, so we are adding that in here.
This line uses eventstats (which works just like stats except it adds all the additional fields to whatever your incoming dataset was) to let us know how many days of baseline we have for a host. This is important, because it allows us to filter out hosts without much of a history.
This line also uses eventstats to pull out, per host, how many paths a particular filename was executed with.
Finally we look for files that were launched with multiple paths, and then filter out some known false positives found in our demo dataset (quirk of how it was built out -- shouldn't occur in production).
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

First we pull in our dataset of Windows process launch logs, care of EventID 4688 documented in this app. Any other EDR solution giving process launch logs will suffice here, as well.
Earlier versions of Sysmon didn't extract a filename by default, so we are adding that in here.
This line uses eventstats (which works just like stats except it adds all the additional fields to whatever your incoming dataset was) to let us know how many days of baseline we have for a host. This is important, because it allows us to filter out hosts without much of a history.
This line also uses eventstats to pull out, per host, how many paths a particular filename was executed with.
Finally we look for filenames that were launched with multiple paths.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.