Suspicious Executable Files Execution From Unusual Locations

Rule Info

Name
Suspicious Executable Files Execution From Unusual Locations
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of executables files other than .exe, such as '.com', '.scr' etc., from suspicious and uncommon locations that may indicate malicious activity. Malware often uses non-standard executable formats and drops them in temporary or user-accessible locations to evade detection. This rule specifically monitors executions from paths like Temp folders, Downloads, User directories, and Windows system folders that are commonly abused by malware.
Reference
https://www.virustotal.com/gui/file/c9713c06526673bf18dbdaf46ea61ca9dd8fefe8ceec3be06c63db17e01e3741
Date
2025-03-26 00:00:00
Modified
None
Id
3757dfc9-11ff-4b38-8443-80b05a54962b
Tags
attack.execution attack.t1204.002 attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022