← Back to SOC feed Coverage →

Suspicious Service Binary Directory

sigma HIGH SigmaHQ
T1202
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-22T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects a service binary running in a suspicious directory

Detection Rule

Sigma (Original)

title: Suspicious Service Binary Directory
id: 883faa95-175a-4e22-8181-e5761aeb373c
status: test
description: Detects a service binary running in a suspicious directory
references:
    - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - '\Users\Public\'
            - '\$Recycle.bin'
            - '\Users\All Users\'
            - '\Users\Default\'
            - '\Users\Contacts\'
            - '\Users\Searches\'
            - 'C:\Perflogs\'
            - '\config\systemprofile\'
            - '\Windows\Fonts\'
            - '\Windows\IME\'
            - '\Windows\addins\'
        ParentImage|endswith:
            - '\services.exe'
            - '\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName contains "\\Users\\Public\\" or TargetProcessName contains "\\$Recycle.bin" or TargetProcessName contains "\\Users\\All Users\\" or TargetProcessName contains "\\Users\\Default\\" or TargetProcessName contains "\\Users\\Contacts\\" or TargetProcessName contains "\\Users\\Searches\\" or TargetProcessName contains "C:\\Perflogs\\" or TargetProcessName contains "\\config\\systemprofile\\" or TargetProcessName contains "\\Windows\\Fonts\\" or TargetProcessName contains "\\Windows\\IME\\" or TargetProcessName contains "\\Windows\\addins\\") and ((ParentProcessName endswith "\\services.exe" or ParentProcessName endswith "\\svchost.exe") or (ActingProcessName endswith "\\services.exe" or ActingProcessName endswith "\\svchost.exe"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml