Description:
Malware execution from unusual directories is one of the favorite proactive detections. That’s where the defenders should have to spend more time as adversaries try to execute malware in a trusted path. Identifying well-known processes and their well know directory usage will reveal the malware process execution.
Malware Directory Paths:
Before malware is executed. It will use specific directories as a trusted way to run the malicious scripts.
Above is a Powershell script that is setting up the windows trusted directory “C:\windows\debug” with malicious PowerShell scripts to run. Instead, this is not running on the user account or not running on the current user directory.
Some of the well-known processes included for hunting:
| wscript.exe | Windows Script host is a service that provides scripting abilities for Windows operating systems. Wscript.exe is tasked with executing the VBScript files, and does not cause any harm to your PC. |
| RegSvcs.exe | RegSvcs.exe is part of the Remote Registry Services, used for registry manipulation. This is a critical Windows component and should not be disabled or removed. The file RegSvcs.exe is located in a subfolder of C:\Windows |
| powershell.exe | Powershell.exe is an executable file related to PowerShell and it doesn’t do harm to your computer in a normal state. The genuine Powershell.exe file is a critical part of the Windows system and it is located in a subfolder of C:\Windows\System32\WindowsPowerShell\v1.0\. |
| cscript.exe | Windows Console Based Script Host renders command line options for setting script properties. With this command line, users can run scripts by simply typing its name at the command prompt. Cscript.exe is located in the C:\Windows\System32 folder. |
| cmd.exe | cmd.exe interacts with the user through a command-line interface. On Windows, this interface is implemented through the Win32 console the original cmd.exe from Microsoft is an important part of Windows, but often causes problems. Cmd.exe is located in the C:\Windows\System32 folder. |
| rundll32.exe | rundll32.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. The original rundll32.exe from Microsoft is an important part of Windows, but often causes problems. Rundll32.exe is located in the C:\Windows\System32 folder or sometimes in the C:\Windows folder. |
| regsvr32.exe | Regsvr32.exe can be used to execute arbitrary binaries. Regsvr32.exe is located in a subfolder of C:\Windows—in most cases C:\Windows\SysWOW64\ |
Malware Execution From Unusual Path Cmdline:
Creating a rule to track the well known processes executing malware in suspicious paths.
query = ”’
process where event.type in (“start”, “process_started”, “info”) and
process.name : (“wscript.exe”,
“cscript.exe”,
“rundll32.exe”,
“regsvr32.exe”,
“cmstp.exe”,
“RegAsm.exe”,
“installutil.exe”,
“mshta.exe”,
“RegSvcs.exe”,
“powershell.exe”,
“pwsh.exe”,
“cmd.exe”) and
/* Adding suspicious execution paths here
/ process.args : (“C:\PerfLogs\“,
“C:\Users\Public\“, “C:\Users\Default\“,
“C:\Windows\Tasks\“, “C:\Intel\“,
“C:\AMD\Temp\“, “C:\Windows\AppReadiness\“,
“C:\Windows\ServiceState\“, “C:\Windows\security\“,
“C:\Windows\IdentityCRL\“, “C:\Windows\Branding\“,
“C:\Windows\csc\“, “C:\Windows\DigitalLocker\“,
“C:\Windows\en-US\“, “C:\Windows\wlansvc\“,
“C:\Windows\Prefetch\“, “C:\Windows\Fonts\“,
“C:\Windows\diagnostics\“, “C:\Windows\TAPI\“,
“C:\Windows\INF\“, “C:\Windows\System32\Speech\“,
“C:\windows\tracing\“, “c:\windows\IME\“,
“c:\Windows\Performance\“, “c:\windows\intel\“,
“c:\windows\ms\“, “C:\Windows\dot3svc\“,
“C:\Windows\ServiceProfiles\“, “C:\Windows\panther\“,
“C:\Windows\RemotePackages\“, “C:\Windows\OCR\“,
“C:\Windows\appcompat\“, “C:\Windows\apppatch\“,
“C:\Windows\addins\“, “C:\Windows\Setup\“,
“C:\Windows\Help\“, “C:\Windows\SKB\“,
“C:\Windows\Vss\“, “C:\Windows\Web\“,
“C:\Windows\servicing\“, “C:\Windows\CbsTemp\“,
“C:\Windows\Logs\“, “C:\Windows\WaaS\“,
“C:\Windows\twain_32\“, “C:\Windows\ShellExperiences\“,
“C:\Windows\ShellComponents\“, “C:\Windows\PLA\“,
“C:\Windows\Migration\“, “C:\Windows\debug\“,
“C:\Windows\Cursors\“, “C:\Windows\Containers\“,
“C:\Windows\Boot\“, “C:\Windows\bcastdvr\“,
“C:\Windows\assembly\“, “C:\Windows\TextInput\“,
“C:\Windows\security\“, “C:\Windows\schemas\“,
“C:\Windows\SchCache\“, “C:\Windows\Resources\“,
“C:\Windows\rescache\“, “C:\Windows\Provisioning\“,
“C:\Windows\PrintDialog\“, “C:\Windows\PolicyDefinitions\“,
“C:\Windows\media\“, “C:\Windows\Globalization\“,
“C:\Windows\L2Schemas\“, “C:\Windows\LiveKernelReports\“,
“C:\Windows\ModemLogs\“, “C:\Windows\ImmersiveControlPanel\“,
“C:\$Recycle.Bin\“)
and not process.parent.executable :
(“C:\WINDOWS\System32\DriverStore\FileRepository\\igfxCUIService*.exe”,
“C:\Windows\System32\spacedeskService.exe”,
“C:\Program Files\Dell\SupportAssistAgent\SRE\SRE.exe”) and
not (process.name : “rundll32.exe” and process.args : (“uxtheme.dll,#64”, “PRINTUI.DLL,PrintUIEntry”))
Source/Credits: https://twitter.com/SBousseaden
Happy Hunting!