Adversaries may be executing legitimate system32 or syswow64 files under different names or locations to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware or privilege escalation attempts that bypass traditional detection methods.
KQL Query
let nonSystemProcesses =
DeviceProcessEvents
| where Timestamp > ago(7d) //Adjust your desired date range here and set the data/time picker to 30 days
| where FolderPath !startswith @"C:\Windows\system32\" and FolderPath !startswith @"C:\Windows\SysWOW64\" and isnotempty(MD5)
and FileName !in~ ("MpSigStub.exe","GACUtil_20.exe");
//Get a list of MD5s of all procceses run from system32 or SysWOW64
let systemProcessHashes =
DeviceProcessEvents
| where Timestamp > ago(30d) //Keep this at 30 days so it uses all available data to compile the list of hashes
| where FolderPath startswith @"C:\Windows\system32\" or FolderPath startswith @"C:\Windows\SysWOW64\" and isnotempty(MD5)
and FileName !in~ ("fileacl.exe","WerFault.exe")
| summarize LegitFolderPath=makeset(tolower(FolderPath)) by MD5, LegitFileName=FileName;
//Join the two tables on MD5, where the filenames do not match
systemProcessHashes | join kind=inner (nonSystemProcesses) on MD5 | where tolower(LegitFileName)!=tolower(FileName)
| project Timestamp, DeviceName, FileName, FolderPath, LegitFileName, LegitFolderPath, MD5, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, ReportId, DeviceId
| top 100 by Timestamp desc
id: e1528e63-165f-4810-b2eb-24a181a3011e
name: Masquerading system executable
description: |
Finds legitimate system32 or syswow64 executables being run under a different name and in a different location.
The rule will require tuning for your environment.
MITRE: Masquerading https://attack.mitre.org/techniques/T1036.
Get a list of all processes run, except those run from system32 or SysWOW64.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
let nonSystemProcesses =
DeviceProcessEvents
| where Timestamp > ago(7d) //Adjust your desired date range here and set the data/time picker to 30 days
| where FolderPath !startswith @"C:\Windows\system32\" and FolderPath !startswith @"C:\Windows\SysWOW64\" and isnotempty(MD5)
and FileName !in~ ("MpSigStub.exe","GACUtil_20.exe");
//Get a list of MD5s of all procceses run from system32 or SysWOW64
let systemProcessHashes =
DeviceProcessEvents
| where Timestamp > ago(30d) //Keep this at 30 days so it uses all available data to compile the list of hashes
| where FolderPath startswith @"C:\Windows\system32\" or FolderPath startswith @"C:\Windows\SysWOW64\" and isnotempty(MD5)
and FileName !in~ ("fileacl.exe","WerFault.exe")
| summarize LegitFolderPath=makeset(tolower(FolderPath)) by MD5, LegitFileName=FileName;
//Join the two tables on MD5, where the filenames do not match
systemProcessHashes | join kind=inner (nonSystemProcesses) on MD5 | where tolower(LegitFileName)!=tolower(FileName)
| project Timestamp, DeviceName, FileName, FolderPath, LegitFileName, LegitFolderPath, MD5, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, ReportId, DeviceId
| top 100 by Timestamp desc
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A legitimate system executable like taskmgr.exe is renamed to taskmgr.bat and placed in a user’s home directory to execute a script.
Filter/Exclusion: Exclude files with .bat, .cmd, or .ps1 extensions from the rule, or filter by file path to exclude user directories.
Scenario: A system update or patching tool like WindowsUpdate.exe is moved to a temporary directory during deployment and executed under a different name (e.g., patchtool.exe) as part of an automated update process.
Filter/Exclusion: Exclude files in known temporary directories (e.g., C:\Windows\Temp, C:\Users\*\AppData\Local\Temp) or include known patching tools in a whitelist.
Scenario: A scheduled task runs a legitimate system executable like regsvr32.exe under a different name (e.g., regsvr32.bat) to execute a script for registry updates.
Filter/Exclusion: Exclude files with .bat or .cmd extensions in scheduled task directories (e.g., C:\Windows\Tasks) or whitelist known scheduled task scripts.
Scenario: A system administrator uses a renamed executable like notepad.exe (renamed to notepad_new.exe) to run a custom script for internal tooling or configuration management.
Filter/Exclusion: Exclude files with modified names in known admin tool directories (e.g., C:\Program Files\CustomTools) or include known admin scripts in a whitelist.
Scenario: A legitimate system executable like mspaint.exe is used in a legitimate enterprise application that renames it temporarily for compatibility or branding purposes.
Filter/Exclusion: Exclude files in known enterprise application directories (e.g., C:\Program Files\EnterpriseApp) or include known application-renamed