Executable or Script Creation in Temporary Paths

This threat brief focuses on the creation of executable files or scripts within temporary directories on Windows systems, a common tactic used by adversaries to bypass security controls and establish persistence. This behavior is often indicative of malicious activity, such as malware installation, privilege escalation, or unauthorized code execution. The observed activity involves writing files with extensions like .exe, .dll, .ps1, and .bat into common temporary locations like \Windows\Temp\ or \AppData\Local\Temp\. This technique allows attackers to hide malicious files among legitimate temporary files, making detection more challenging. References to campaigns like Volt Typhoon, and ransomware families like LockBit highlight the importance of detecting this behavior.

Attack Chain

1. The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker drops a malicious executable or script onto the compromised system.
3. To evade detection, the malicious file is created in a temporary directory such as C:\Windows\Temp\ or C:\Users\<username>\AppData\Local\Temp\.
4. The attacker uses a dropper or installer to write the malicious file (e.g., using cmd.exe, powershell.exe).
5. The attacker may rename the file to further disguise its purpose.
6. The attacker executes the malicious file, potentially leading to code execution, privilege escalation, or persistence.
7. The executed malware performs malicious actions, such as lateral movement, data exfiltration, or ransomware deployment.
8. The attacker maintains persistence on the system, ensuring continued access and control.

Impact

Successful exploitation can lead to unauthorized code execution, privilege escalation, and persistent access within the targeted environment. This can result in data theft, system compromise, or ransomware deployment. The references to campaigns like Volt Typhoon and ransomware families like LockBit highlight the potential for significant disruption and financial loss. Multiple analytic stories, such as AsyncRAT, DarkGate Malware, and Qakbot, highlight the prevalence of this technique across various threat actors.

Recommendation

• Enable Sysmon EventID 11 (FileCreate) logging to monitor file creation events on endpoints.
• Deploy the Sigma rule “Executable or Script Creation in Temp Path” to your SIEM and tune for your environment.
• Investigate any file creation events in temporary directories involving executable or script file types (.exe, .dll, .ps1, .bat, etc.).
• Review and filter events based on your organization’s normal activity to reduce false positives, as mentioned in the “known_false_positives” section of the source.
• Monitor for processes spawned from temporary directories, using a process creation monitoring tool and correlate with other suspicious activities.