Generic Process Path Indicator

Authored By:
Christopher Bentley – @cbentle2

Description:
Generic Indicator to identify Common commands not run from their default process path locations.
cmd.exe, csrss.exe, explorer.exe, lsass.exe,services.exe, spoolsv.exe, smss.exe, svchost.exe, winlogon.exe and ctfmon.exe

Indicators:
OR
   AND
       Process Name is explorer.exe
       Process path is not C:\WINDOWS\
   AND
       Process Name is cmd.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is lsass.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is services.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is csrss.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is spoolsrv.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is smss.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is svchost.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is winlogon.exe
       Process path is not C:\WINDOWS\system32
   AND
       Process Name is ctfmon.exe
       Process path is not C:\WINDOWS\system32

IOC File:
7fe9ed86-72f5-4444-b99e-72ae535154fa.ioc