it is possible for this search to generate a notable event for a batch file write to a path that includes the string \"system32\", but is not the actual windows system directory. as such, you should confirm the path of the batch file identified by the search. in addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. you should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.

Techniques

Sample rules

Batch File Write to System32

source: splunk
technicques:
- T1204
- T1204.002

Description

The search looks for a batch file (.bat) written to the Windows system directory tree.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name Processes.dest Processes.user 
| `drop_dm_object_name(Processes)` 
| join process_guid [
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\system32\\*", "*\\syswow64\\*") Filesystem.file_name="*.bat" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path Filesystem.process_guid 
| `drop_dm_object_name(Filesystem)`] 
| table dest user file_create_time, file_name, file_path, process_name, firstTime, lastTime 
| dedup file_create_time 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `batch_file_write_to_system32_filter`