Techniques
Sample rules
Batch File Write to System32
- source: splunk
- technicques:
- T1204
- T1204.002
Description
The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\system32\\*", "*\\syswow64\\*") Filesystem.file_name="*.bat" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid
| `drop_dm_object_name(Filesystem)`]
| table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime
| dedup file_create_time
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `batch_file_write_to_system32_filter`