Tag
high
advisory
Suspicious Alternate Data Stream (ADS) File Creation
2 rules 1 TTPDetects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.
M365 Defender +3
defense-evasion
ads
file-creation
windows
2r
1t
high
advisory
Executable or Script Creation in Temporary Paths
2 rules 1 TTPAdversaries may create executables or scripts in temporary directories to evade detection, maintain persistence, and execute unauthorized code on Windows systems.
defense-evasion
persistence
privilege-escalation
execution
temp-directory
file-creation
2r
1t
high
advisory
WScript or CScript Dropper
2 rules 2 TTPsThe WScript or CScript Dropper technique involves using cscript.exe or wscript.exe to write malicious script files (js, jse, vba, vbe, vbs, wsf, wsh) to suspicious locations on a Windows system for later execution.
Windows
script-dropper
file-creation
2r
2t