some legitimate software installers or system maintenance tools may create msc files in the system32 directory with unusual paths. verify and allow trusted system or vendor-approved processes to reduce false positives.

Techniques

Sample rules

Windows Mock Trusted Directory MSC File Creation

source: splunk
technicques:
- T1218.014
- T1548.002
- T1574

Description

Detects the creation of MSC files within a “C:\Windows \System32” directory. Due to how Windows parses paths, the space causes an execution flow hijack and a malicious file will be executed instead of the standard Windows Files.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_path IN (
    "C:\\Windows \\System32\\*.msc",
    "C:\\Windows \\System32\\de-DE\\*.msc",
    "C:\\Windows \\System32\\en-US\\*.msc",
    "C:\\Windows \\System32\\es-ES\\*.msc",
    "C:\\Windows \\System32\\fr-FR\\*.msc",
    "C:\\Windows \\System32\\it-IT\\*.msc",
    "C:\\Windows \\System32\\ja-JP\\*.msc",
    "C:\\Windows \\System32\\ko-KR\\*.msc",
    "C:\\Windows \\System32\\zh-CN\\*.msc",
    "C:\\Windows \\System32\\zh-TW\\*.msc"
)

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path Filesystem.file_name
   Filesystem.user Filesystem.vendor_product Filesystem.action


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_mock_trusted_directory_msc_file_creation_filter`