Executable or Script Creation in Suspicious Paths

This detection identifies the creation of executable or script files in unusual directories on Windows systems. Adversaries often leverage these unconventional locations to evade standard security monitoring and establish persistence. The technique involves placing malicious files with extensions like .exe, .dll, .ps1, and others in directories such as \windows\fonts\, \users\public\, \Windows\debug\, and others deemed atypical for such file types. This activity can bypass traditional signature-based detections and enable the execution of unauthorized code. The scope of this threat covers Windows systems where such file creation events are logged and monitored. This is important for defenders because successful exploitation leads to arbitrary code execution, persistence and further malicious activity within the compromised environment.

Attack Chain

1. An attacker gains initial access to the system, potentially through exploitation of a vulnerability or compromised credentials.
2. The attacker navigates to a suspicious directory, such as C:\Windows\Fonts\ or C:\Users\Public\.
3. The attacker drops a malicious executable file (e.g., evil.exe) or a script (e.g., evil.ps1) into the chosen directory.
4. The attacker employs techniques to execute the malicious file, such as creating a scheduled task, modifying registry keys, or leveraging other “living off the land” binaries.
5. The malicious file executes, performing actions such as establishing persistence, escalating privileges, or deploying additional malware.
6. The attacker leverages the established persistence to maintain access to the compromised system.
7. The attacker performs lateral movement to other systems within the network, utilizing tools such as PsExec or PowerShell.
8. The attacker achieves their ultimate objective, such as data exfiltration, system disruption, or ransomware deployment.

Impact

Successful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and complete system compromise. The creation of executables in suspicious paths is a common technique used by various threat actors. Multiple analytic stories are tagged, including PlugX, LockBit Ransomware, and Volt Typhoon. This technique is leveraged to evade detection and maintain a persistent presence on the compromised system.

Recommendation

• Enable Sysmon EventID 11 logging to capture file creation events, which is the data source for the analytic.
• Deploy the provided Sigma rule to your SIEM to detect the creation of executables or scripts in suspicious paths.
• Investigate and validate any alerts generated by the Sigma rule, focusing on the process and user context.
• Implement file integrity monitoring (FIM) on critical directories to detect unauthorized file modifications.
• Review and harden file system permissions to restrict write access to suspicious directories.