Tag

File-Creation

4 briefs RSS

File Creation in World-Writable Directory by Unusual Process

This rule detects the creation of files in world-writable directories on Linux systems by an unusual process, which is a common defense evasion tactic for potential lateral movement or malicious payload staging.

Elastic Defend +2 defense-evasion file-creation linux

2r 1t May 15, 2026

high advisory

Suspicious Alternate Data Stream (ADS) File Creation

2 rules 1 TTP

Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.

M365 Defender +3 defense-evasion ads file-creation windows

2r 1t Jan 26, 2024

high advisory

Executable or Script Creation in Temporary Paths

2 rules 1 TTP

Adversaries may create executables or scripts in temporary directories to evade detection, maintain persistence, and execute unauthorized code on Windows systems.

defense-evasion persistence privilege-escalation execution temp-directory file-creation

2r 1t Jan 3, 2024

high advisory

WScript or CScript Dropper

2 rules 2 TTPs

The WScript or CScript Dropper technique involves using cscript.exe or wscript.exe to write malicious script files (js, jse, vba, vbe, vbs, wsf, wsh) to suspicious locations on a Windows system for later execution.

Windows script-dropper file-creation

2r 2t Jan 2, 2024