EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Executables Or Script Creation In Suspicious Path

The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.

MITRE ATT&CK

T1036
defense-evasion

Detection Query

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_name IN (
  "*.bat",
  "*.cmd",
  "*.com",
  "*.dll",
  "*.exe",
  "*.js",
  "*.msc",
  "*.pif",
  "*.ps1",
  "*.sys",
  "*.vbe",
  "*.vbs"
)
Filesystem.file_path IN (
  "*\\PerfLogs\\*",
  "*\\Users\\Administrator\\Music\\*",
  "*\\Users\\Default\\*",
  "*\\Users\\Public\\*",
  "*\\Windows\\debug\\*",
  "*\\Windows\\fonts\\*",
  "*\\Windows\\Media\\*",
  "*\\Windows\\repair\\*",
  "*\\Windows\\servicing\\*",
  "*Recycle.bin*",
  "*:\\inetpub\\*"
)

by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash
   Filesystem.file_modify_time Filesystem.file_name
   Filesystem.file_path Filesystem.file_acl Filesystem.file_size
   Filesystem.process_guid Filesystem.process_id Filesystem.user
   Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `executables_or_script_creation_in_suspicious_path_filter`

Author

Teoderick Contreras, Splunk

Created

2026-03-31

Data Sources

Sysmon EventID 11

References

Tags

PlugXWarzone RATSwift SlicerData DestructionAgentTeslaLockBit RansomwareVolt TyphoonBrute Ratel C4Industroyer2WhisperGateDarkGate MalwareChaos RansomwareValleyRATXMRigHermetic WiperRemcosQuasar RATRhysida RansomwareDarkCrystal RATQakbotSnake KeyloggerChina-Nexus Threat ActivityIcedIDCISA AA23-347AAzorultHandala WiperCrypto StealerSalt TyphoonEarth AluxDouble Zero DestructorTrickbotCactus RansomwareBlackByte RansomwareSystemBCAcidPourNjRATGraceful Wipe Out AttackAmadeyDerusbiAsyncRATRedLine StealerSnappyBeeMeduza StealerWinDealer RATMoonPeakInterlock RansomwareInterlock RatNailaoLocker RansomwarePromptLockGhostRedirector IIS Module and Rungan BackdoorLokibotCastle RATSesameOpDynoWiperXML Runner LoaderVoid ManticoreAxios Supply Chain Post Compromise
Raw Content
name: Executables Or Script Creation In Suspicious Path
id: a7e3f0f0-ae42-11eb-b245-acde48001122
version: 26
date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: |
    The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems.
    It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\).
    This activity can be significant as adversaries often use these paths to evade detection and maintain persistence.
    If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
data_source:
    - Sysmon EventID 11
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime

    from datamodel=Endpoint.Filesystem where

    Filesystem.file_name IN (
      "*.bat",
      "*.cmd",
      "*.com",
      "*.dll",
      "*.exe",
      "*.js",
      "*.msc",
      "*.pif",
      "*.ps1",
      "*.sys",
      "*.vbe",
      "*.vbs"
    )
    Filesystem.file_path IN (
      "*\\PerfLogs\\*",
      "*\\Users\\Administrator\\Music\\*",
      "*\\Users\\Default\\*",
      "*\\Users\\Public\\*",
      "*\\Windows\\debug\\*",
      "*\\Windows\\fonts\\*",
      "*\\Windows\\Media\\*",
      "*\\Windows\\repair\\*",
      "*\\Windows\\servicing\\*",
      "*Recycle.bin*",
      "*:\\inetpub\\*"
    )

    by Filesystem.action Filesystem.dest Filesystem.file_access_time
       Filesystem.file_create_time Filesystem.file_hash
       Filesystem.file_modify_time Filesystem.file_name
       Filesystem.file_path Filesystem.file_acl Filesystem.file_size
       Filesystem.process_guid Filesystem.process_id Filesystem.user
       Filesystem.vendor_product
    | `drop_dm_object_name(Filesystem)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `executables_or_script_creation_in_suspicious_path_filter`
how_to_implement: |
    To successfully implement this search you need to be ingesting
    information on process that include the name of the Filesystem responsible for
    the changes from your endpoints into the `Endpoint` datamodel in the
    `Filesystem` node.
known_false_positives: |
    Some false positives may arise from paths like Recycle.bin and \Users\Public.
    Other than that executable creation and certain script extensions in these suspicious paths should be less common.
references:
    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
    - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
    - https://twitter.com/pr0xylife/status/1590394227758104576
    - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: file_name
          type: file_name
        - field: file_path
          type: file_path
tags:
    analytic_story:
        - PlugX
        - Warzone RAT
        - Swift Slicer
        - Data Destruction
        - AgentTesla
        - LockBit Ransomware
        - Volt Typhoon
        - Brute Ratel C4
        - Industroyer2
        - WhisperGate
        - DarkGate Malware
        - Chaos Ransomware
        - ValleyRAT
        - XMRig
        - Hermetic Wiper
        - Remcos
        - Quasar RAT
        - Rhysida Ransomware
        - DarkCrystal RAT
        - Qakbot
        - Snake Keylogger
        - China-Nexus Threat Activity
        - IcedID
        - CISA AA23-347A
        - Azorult
        - Handala Wiper
        - Crypto Stealer
        - Salt Typhoon
        - Earth Alux
        - Double Zero Destructor
        - Trickbot
        - Cactus Ransomware
        - BlackByte Ransomware
        - SystemBC
        - AcidPour
        - NjRAT
        - Graceful Wipe Out Attack
        - Amadey
        - Derusbi
        - AsyncRAT
        - RedLine Stealer
        - SnappyBee
        - Meduza Stealer
        - WinDealer RAT
        - MoonPeak
        - Interlock Ransomware
        - Interlock Rat
        - NailaoLocker Ransomware
        - PromptLock
        - GhostRedirector IIS Module and Rungan Backdoor
        - Lokibot
        - Castle RAT
        - SesameOp
        - DynoWiper
        - XML Runner Loader
        - Void Manticore
        - Axios Supply Chain Post Compromise
    asset_type: Endpoint
    mitre_attack_id:
        - T1036
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/executables_suspicious_file_path/exec_susp_path2.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog