Suspicious Executable or Script Creation in Uncommon Paths
Detection of executables or scripts being created in unusual directories on Windows systems, which can be indicative of malware installation or persistence attempts.
This threat brief addresses the creation of executable files or scripts in suspicious file paths on Windows systems, a tactic frequently employed by attackers to evade detection and maintain persistence. This activity is detected by monitoring file creation events (Sysmon EventID 11) and identifying files with executable extensions (e.g., .exe, .dll, .ps1, .vbs) being created in uncommon directories, such as \windows\fonts, \users\public, \PerfLogs, and others. Successful exploitation via this technique can lead to unauthorized code execution, privilege escalation, and persistent access to compromised systems. Recent examples of malware abusing these techniques include PlugX, Warzone RAT, DarkGate Malware, and LockBit Ransomware, demonstrating the continued relevance of this detection strategy. This analytic is applicable to Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud.
Attack Chain
- The attacker gains initial access to the system (e.g., through phishing or exploit).
- The attacker drops a malicious executable or script (e.g., a PowerShell script or DLL file) onto the target system.
- The malicious file is created in a suspicious directory, such as \Users\Public, \Windows\Fonts, or \PerfLogs, to avoid detection.
- The attacker uses various techniques to execute the dropped file, such as leveraging
cmd.exe,powershell.exe, or other legitimate tools. - The executed file performs malicious actions, such as establishing persistence, escalating privileges, or deploying additional malware.
- The malware communicates with a command-and-control (C2) server to receive further instructions or exfiltrate data.
- The attacker may use the compromised system as a foothold to move laterally within the network.
Impact
Successful exploitation could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat. Observed damage can range from data exfiltration to ransomware deployment, depending on the attacker's objectives. The scope of impact can vary from individual workstations to entire networks, potentially affecting critical business operations. Many threat actors, including those associated with PlugX, Warzone RAT, and LockBit ransomware, are known to utilize these techniques, thus defenders should prioritize detection and prevention measures.
Recommendation
- Enable Sysmon EventID 11 logging to monitor file creation events on endpoints, as this is the data source required for the provided rules.
- Deploy the Sigma rule "Suspicious Executable Creation in Public Directory" to detect executables created in common public directories and tune for your environment.
- Deploy the Sigma rule "Suspicious Script Creation in Windows Fonts Directory" to detect scripts created in the Windows Fonts directory.
- Investigate any alerts generated by these rules, focusing on the process that created the file and the file's subsequent behavior.
Detection coverage 3
Suspicious Executable Creation in Public Directory
highDetects creation of executable files in the Public directory, often used by attackers for initial access or persistence.
Suspicious Script Creation in Windows Fonts Directory
mediumDetects the creation of script files (e.g., .ps1, .vbs) in the Windows Fonts directory, a location rarely used for legitimate purposes.
Executables Created in Temp Directory
mediumDetects executable files being created in temp directories
Detection queries are available on the platform. Get full rules →