Techniques
Sample rules
Batch File Write to System32
- source: splunk
- technicques:
- T1204
- T1204.002
Description
The search looks for a batch file (.bat) written to the Windows system directory tree.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\system32\\*", "*\\syswow64\\*") Filesystem.file_name="*.bat" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid
| `drop_dm_object_name(Filesystem)`]
| table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime
| dedup file_create_time
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `batch_file_write_to_system32_filter`