executable creation and certain script extensions in temporary paths can very common in certain environments and legitimate use cases. it is important to review and filter these events based on your organization's normal activity and policies.

Techniques

T1036

Sample rules

Executables Or Script Creation In Temp Path

source: splunk
technicques:
- T1036

Description

The following analytic identifies the creation of executables or scripts in temporary file paths on Windows systems. It leverages the Endpoint.Filesystem data set to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in temporary directories (e.g., \windows\Temp, \AppData\Local\Temp). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.action="created"
Filesystem.file_name IN (
  "*.bat",
  "*.cmd",
  "*.com",
  "*.dll",
  "*.exe",
  "*.js",
  "*.msc",
  "*.pif",
  "*.ps1",
  "*.sys",
  "*.vbe",
  "*.vbs"
)
Filesystem.file_path IN (
  "*:\\Temp\\*",
  "*:\\Windows\\Temp\\*",
  "*\\AppData\\Local\\Temp\\*",
)
NOT Filesystem.file_path IN (
  "*\\__PSScriptPolicyTest_*",
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash
   Filesystem.file_modify_time Filesystem.file_name
   Filesystem.file_path Filesystem.file_acl Filesystem.file_size
   Filesystem.process_guid Filesystem.process_id Filesystem.user
   Filesystem.vendor_product

| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `executables_or_script_creation_in_temp_path_filter`