Skip to content
Threat Feed
high advisory

Executable or Script Creation in Suspicious Windows Paths

This brief details a detection analytic for the creation of executables or scripts, such as .exe, .dll, or .ps1 files, in suspicious Windows file paths like `\windows\fonts\` or `\users\public\`, a technique frequently employed by adversaries for defense evasion and persistence, potentially leading to unauthorized code execution and privilege escalation.

This threat brief focuses on a detection analytic designed to identify a common adversary technique: the creation of executable files and scripts within unusual or suspicious directories on Windows systems. Adversaries regularly abuse standard operating system directories, such as C:\Windows\fonts\ or C:\Users\Public\, to store malicious payloads, configuration files, or persistent components. This method helps them evade detection by blending in with legitimate system files and maintaining persistence even after reboots or security product scans. The technique is a key component in many attack campaigns by various threat actors, including those behind PlugX, Warzone RAT, and Volt Typhoon. Detecting such activity is crucial for identifying post-exploitation phases, where attackers attempt to solidify their foothold, deliver further stages of malware, or prepare for privilege escalation and lateral movement.

Impact

The successful creation of executables or scripts in suspicious paths typically indicates an adversary has already gained initial access to a system. If left undetected, this activity can lead to various severe consequences, including the execution of unauthorized code, which could be anything from a simple backdoor to sophisticated ransomware. It serves as a strong indicator of an attacker establishing persistence, allowing them to maintain control over the compromised system and escalate privileges for broader environmental impact. This technique is often seen preceding data exfiltration, system destruction (e.g., in wiper attacks like WhisperGate), or ransomware deployment, posing a critical risk to data integrity, confidentiality, and system availability across targeted organizations, particularly critical infrastructure.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect file creations in suspicious paths.
  • Ensure Sysmon Event ID 11 (FileCreate) logging is enabled on all Windows endpoints to provide the necessary telemetry for the detection rule.
  • Investigate all alerts generated by the Detect Executable or Script Creation in Suspicious Paths rule, prioritizing based on the impacted user and path.
  • Establish baselines for legitimate software installations or updates that might write files to the listed suspicious paths and add them as exclusions to reduce false positives, as mentioned in the false positives section of the rule.

Detection coverage 1

Detect Executable or Script Creation in Suspicious Paths

high

Detects the creation of common executable or script file types in paths frequently abused by adversaries for defense evasion and persistence on Windows systems.

sigma tactics: defense_evasion, persistence techniques: T1036 sources: file_event, windows

Detection queries are available on the platform. Get full rules →