EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Executables Or Script Creation In Suspicious Path

The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.

Detection Query

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
from datamodel=Endpoint.Filesystem where
Filesystem.file_name IN (
    "*.bat",
    "*.cmd",
    "*.com",
    "*.dll",
    "*.exe",
    "*.js",
    "*.msc",
    "*.pif",
    "*.ps1",
    "*.sys",
    "*.vbe",
    "*.vbs"
)
Filesystem.file_path IN (
    "*:\\PerfLogs\\*",
    "*:\\Users\\Administrator\\Music\\*",
    "*:\\Users\\Default\\*",
    "*:\\Users\\Public\\*",
    "*:\\Windows\\debug\\*",
    "*:\\Windows\\fonts\\*",
    "*:\\Windows\\Media\\*",
    "*:\\Windows\\repair\\*",
    "*:\\Windows\\servicing\\*",
    "*\\inetpub\\*",
    "*\\Microsoft\\Windows\\Libraries\\*",
    "*Recycle.bin*"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash
   Filesystem.file_modify_time Filesystem.file_name
   Filesystem.file_path Filesystem.file_acl Filesystem.file_size
   Filesystem.process_guid Filesystem.process_id Filesystem.user
   Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `executables_or_script_creation_in_suspicious_path_filter`

Author

Teoderick Contreras, Splunk

Data Sources

Sysmon EventID 11

References

Raw Content
name: Executables Or Script Creation In Suspicious Path
id: a7e3f0f0-ae42-11eb-b245-acde48001122
version: 28
creation_date: '2021-05-07'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
data_source:
    - Sysmon EventID 11
search: |-
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime
    from datamodel=Endpoint.Filesystem where
    Filesystem.file_name IN (
        "*.bat",
        "*.cmd",
        "*.com",
        "*.dll",
        "*.exe",
        "*.js",
        "*.msc",
        "*.pif",
        "*.ps1",
        "*.sys",
        "*.vbe",
        "*.vbs"
    )
    Filesystem.file_path IN (
        "*:\\PerfLogs\\*",
        "*:\\Users\\Administrator\\Music\\*",
        "*:\\Users\\Default\\*",
        "*:\\Users\\Public\\*",
        "*:\\Windows\\debug\\*",
        "*:\\Windows\\fonts\\*",
        "*:\\Windows\\Media\\*",
        "*:\\Windows\\repair\\*",
        "*:\\Windows\\servicing\\*",
        "*\\inetpub\\*",
        "*\\Microsoft\\Windows\\Libraries\\*",
        "*Recycle.bin*"
    )
    by Filesystem.action Filesystem.dest Filesystem.file_access_time
       Filesystem.file_create_time Filesystem.file_hash
       Filesystem.file_modify_time Filesystem.file_name
       Filesystem.file_path Filesystem.file_acl Filesystem.file_size
       Filesystem.process_guid Filesystem.process_id Filesystem.user
       Filesystem.vendor_product
    | `drop_dm_object_name(Filesystem)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `executables_or_script_creation_in_suspicious_path_filter`
how_to_implement: To successfully implement this search you need to be ingestinginformation on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
known_false_positives: Some false positives may arise from paths like Recycle.bin and \Users\Public. Other than that executable creation and certain script extensions in these suspicious paths should be less common.
references:
    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
    - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
    - https://twitter.com/pr0xylife/status/1590394227758104576
    - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: '0'
intermediate_findings:
    entities:
        - field: user
          type: user
          score: 20
          message: Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$
threat_objects:
    - field: file_name
      type: file_name
    - field: file_path
      type: file_path
analytic_story:
    - PlugX
    - Warzone RAT
    - Swift Slicer
    - Data Destruction
    - AgentTesla
    - LockBit Ransomware
    - Volt Typhoon
    - Brute Ratel C4
    - Industroyer2
    - WhisperGate
    - DarkGate Malware
    - Chaos Ransomware
    - ValleyRAT
    - XMRig
    - Hermetic Wiper
    - Remcos
    - Quasar RAT
    - Rhysida Ransomware
    - DarkCrystal RAT
    - Qakbot
    - Snake Keylogger
    - China-Nexus Threat Activity
    - IcedID
    - CISA AA23-347A
    - Azorult
    - Handala Wiper
    - Crypto Stealer
    - Salt Typhoon
    - Earth Alux
    - Double Zero Destructor
    - Trickbot
    - Cactus Ransomware
    - BlackByte Ransomware
    - SystemBC
    - AcidPour
    - NjRAT
    - Graceful Wipe Out Attack
    - Amadey
    - Derusbi
    - AsyncRAT
    - RedLine Stealer
    - SnappyBee
    - Meduza Stealer
    - WinDealer RAT
    - MoonPeak
    - Interlock Ransomware
    - Interlock Rat
    - NailaoLocker Ransomware
    - PromptLock
    - GhostRedirector IIS Module and Rungan Backdoor
    - Lokibot
    - Castle RAT
    - SesameOp
    - DynoWiper
    - XML Runner Loader
    - Void Manticore
    - Axios Supply Chain Post Compromise
    - VIP Keylogger
asset_type: Endpoint
mitre_attack_id:
    - T1036
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/executables_suspicious_file_path/exec_susp_path2.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit