#####aid_begin
#description: fetching the process execution from unusual directories.
#id: aid2201222048
#processtype: query
#category: eventlog
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  format-BGEvent
#  1) get the sysmon/operational events where id 1, 5
#notes: |- 
#  Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.
#   o event source: sysmon
#   o schema used: "sysmon.schema"
#   o event dataset: "microsoft-windows-sysmon/operational"
#   o eventid's: '1,5'
#####aid_end
commands:
- Format-BGEvent -Event "Microsoft-Windows-Sysmon/operational" -PropsOnly -MaxEvents 5000 -ID '1,5' -Schema "C:\BluGenie\bin\x64\Blubin\Modules\BluGenie\Configs\Schema\Sysmon.Schema" -EQLQuery "generic where EventId in (1,5) and wildcard(process_name, '*\\PerfLogs\\*.exe','*\\Users\\Public\\*.exe','*\\Users\\Default\\*.exe','*\\Windows\\Tasks\\*.exe','*\\Intel\\*.exe','*\\AMD\\Temp\\*.exe','*\\Windows\\AppReadiness\\*.exe', '*\\Windows\\ServiceState\\*.exe','*\\Windows\\security\\*.exe','*\\Windows\\IdentityCRL\\*.exe','*\\Windows\\Branding\\*.exe','*\\Windows\\csc\\*.exe', '*\\Windows\\DigitalLocker\\*.exe','*\\Windows\\en-US\\*.exe','*\\Windows\\wlansvc\\*.exe','*\\Windows\\Prefetch\\*.exe','*\\Windows\\Fonts\\*.exe', '*\\Windows\\diagnostics\\*.exe','*\\Windows\\TAPI\\*.exe','*\\Windows\\INF\\*.exe','*\\Windows\\System32\\Speech\\*.exe','*\\windows\\tracing\\*.exe', '*\\windows\\IME\\*.exe','*\\Windows\\Performance\\*.exe','*\\windows\\intel\\*.exe','*\\windows\\ms\\*.exe','*\\Windows\\dot3svc\\*.exe','*\\Windows\\ServiceProfiles\\*.exe', '*\\Windows\\panther\\*.exe','*\\Windows\\RemotePackages\\*.exe','*\\Windows\\OCR\\*.exe','*\\Windows\\appcompat\\*.exe','*\\Windows\\apppatch\\*.exe','*\\Windows\\addins\\*.exe', '*\\Windows\\Setup\\*.exe','*\\Windows\\Help\\*.exe','*\\Windows\\SKB\\*.exe','*\\Windows\\Vss\\*.exe','*\\Windows\\Web\\*.exe','*\\Windows\\servicing\\*.exe','*\\Windows\\CbsTemp\\*.exe', '*\\Windows\\Logs\\*.exe','*\\Windows\\WaaS\\*.exe','*\\Windows\\twain_32\\*.exe','*\\Windows\\ShellExperiences\\*.exe','*\\Windows\\ShellComponents\\*.exe','*\\Windows\\PLA\\*.exe', '*\\Windows\\Migration\\*.exe','*\\Windows\\debug\\*.exe','*\\Windows\\Cursors\\*.exe','*\\Windows\\Containers\\*.exe','*\\Windows\\Boot\\*.exe','*\\Windows\\bcastdvr\\*.exe', '*\\Windows\\assembly\\*.exe','*\\Windows\\TextInput\\*.exe','*\\Windows\\security\\*.exe','*\\Windows\\schemas\\*.exe','*\\Windows\\SchCache\\*.exe','*\\Windows\\Resources\\*.exe', '*\\Windows\\rescache\\*.exe','*\\Windows\\Provisioning\\*.exe','*\\Windows\\PrintDialog\\*.exe','*\\Windows\\PolicyDefinitions\\*.exe','*\\Windows\\media\\*.exe', '*\\Windows\\Globalization\\*.exe','*\\Windows\\L2Schemas\\*.exe','*\\Windows\\LiveKernelReports\\*.exe','*\\Windows\\ModemLogs\\*.exe','*\\Windows\\ImmersiveControlPanel\\*.exe') and not wildcard(process_name, '*\\SpeechUXWiz.exe','*\\SystemSettings.exe','*\\TrustedInstaller.exe','*\\PrintDialog.exe','*\\MpSigStub.exe','*\\LMS.exe','*\\mpam-*.exe')"