{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-creation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ads","file-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the creation of Alternate Data Streams (ADS) on Windows systems, a technique often employed by adversaries to conceal malicious code or data within seemingly benign files. Attackers leverage scripting engines and command interpreters to write ADS to various file types, including executables, documents, and media files. This activity is uncommon in legitimate workflows, making it a valuable indicator of potential compromise. The rule is designed to trigger on file creation events where the process creating the file is a known script or command interpreter (cmd.exe, powershell.exe, etc.) and the target file has a suspicious extension. The detection excludes common legitimate ADS usage patterns. This technique is used for defense evasion, allowing malware to persist without being easily detected by traditional security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command interpreter (cmd.exe, powershell.exe, etc.) or scripting engine (wscript.exe, cscript.exe) to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code creates an Alternate Data Stream (ADS) on a targeted file (e.g., an executable, document, or image). The targeted file\u0026rsquo;s extension could be pdf, dll, exe, dat, etc.\u003c/li\u003e\n\u003cli\u003eThe attacker hides malicious code or data within the ADS, making it less visible to standard file system scans and security tools. The ADS is written to a file path using the \u003ccode\u003eC:\\\\*:\\*\u003c/code\u003e syntax.\u003c/li\u003e\n\u003cli\u003eThe attacker may rename or clean up any staging files to further conceal their activity.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute the hidden code within the ADS, or use the ADS to store configuration data for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the ADS to store and execute malicious code, bypassing typical file-based security measures.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to maintain unauthorized access to the system, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious code within legitimate files, evading detection by traditional security measures. This can lead to prolonged persistence on compromised systems, enabling data theft, ransomware deployment, or other malicious activities. While the specific number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting a wide range of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious ADS File Creation via Cmd\u003c/code\u003e to detect ADS creation events initiated by cmd.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious ADS File Creation via PowerShell\u003c/code\u003e to detect ADS creation events initiated by powershell.exe.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 15 (FileCreateStreamHash) to provide detailed information about ADS creation events, as referenced in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the file paths, creating processes, and command-line arguments involved, as detailed in the rule\u0026rsquo;s triage and analysis notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:00:00Z","date_published":"2024-01-26T18:00:00Z","id":"/briefs/2024-01-ads-file-creation/","summary":"Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.","title":"Suspicious Alternate Data Stream (ADS) File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-ads-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-evasion","persistence","privilege-escalation","execution","temp-directory","file-creation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the creation of executable files or scripts within temporary directories on Windows systems, a common tactic used by adversaries to bypass security controls and establish persistence. This behavior is often indicative of malicious activity, such as malware installation, privilege escalation, or unauthorized code execution. The observed activity involves writing files with extensions like \u003ccode\u003e.exe\u003c/code\u003e, \u003ccode\u003e.dll\u003c/code\u003e, \u003ccode\u003e.ps1\u003c/code\u003e, and \u003ccode\u003e.bat\u003c/code\u003e into common temporary locations like \u003ccode\u003e\\Windows\\Temp\\\u003c/code\u003e or \u003ccode\u003e\\AppData\\Local\\Temp\\\u003c/code\u003e. This technique allows attackers to hide malicious files among legitimate temporary files, making detection more challenging. References to campaigns like Volt Typhoon, and ransomware families like LockBit highlight the importance of detecting this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable or script onto the compromised system.\u003c/li\u003e\n\u003cli\u003eTo evade detection, the malicious file is created in a temporary directory such as \u003ccode\u003eC:\\Windows\\Temp\\\u003c/code\u003e or \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\AppData\\Local\\Temp\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a dropper or installer to write the malicious file (e.g., using \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker may rename the file to further disguise its purpose.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious file, potentially leading to code execution, privilege escalation, or persistence.\u003c/li\u003e\n\u003cli\u003eThe executed malware performs malicious actions, such as lateral movement, data exfiltration, or ransomware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system, ensuring continued access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, privilege escalation, and persistent access within the targeted environment. This can result in data theft, system compromise, or ransomware deployment. The references to campaigns like Volt Typhoon and ransomware families like LockBit highlight the potential for significant disruption and financial loss. Multiple analytic stories, such as AsyncRAT, DarkGate Malware, and Qakbot, highlight the prevalence of this technique across various threat actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 11 (FileCreate) logging to monitor file creation events on endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Executable or Script Creation in Temp Path\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any file creation events in temporary directories involving executable or script file types (.exe, .dll, .ps1, .bat, etc.).\u003c/li\u003e\n\u003cli\u003eReview and filter events based on your organization\u0026rsquo;s normal activity to reduce false positives, as mentioned in the \u0026ldquo;known_false_positives\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eMonitor for processes spawned from temporary directories, using a process creation monitoring tool and correlate with other suspicious activities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-executables-or-script-creation-in-temp-path/","summary":"Adversaries may create executables or scripts in temporary directories to evade detection, maintain persistence, and execute unauthorized code on Windows systems.","title":"Executable or Script Creation in Temporary Paths","url":"https://feed.craftedsignal.io/briefs/2024-01-executables-or-script-creation-in-temp-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["script-dropper","file-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe WScript or CScript Dropper technique is a method employed by attackers to introduce malicious script files into a system. It leverages the built-in Windows scripting hosts, \u003ccode\u003ecscript.exe\u003c/code\u003e and \u003ccode\u003ewscript.exe\u003c/code\u003e, to write files with extensions commonly associated with scripting languages (e.g., \u003ccode\u003e.js\u003c/code\u003e, \u003ccode\u003e.vbs\u003c/code\u003e, \u003ccode\u003e.wsf\u003c/code\u003e). These scripts are often written to temporary or user-accessible directories, such as \u003ccode\u003e\\Temp\\\u003c/code\u003e, \u003ccode\u003e\\AppData\\\u003c/code\u003e, or \u003ccode\u003e\\Startup\\\u003c/code\u003e, where they can be executed later, either manually or…\u003c/p\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-cscript-wscript-dropper/","summary":"The WScript or CScript Dropper technique involves using cscript.exe or wscript.exe to write malicious script files (js, jse, vba, vbe, vbs, wsf, wsh) to suspicious locations on a Windows system for later execution.","title":"WScript or CScript Dropper","url":"https://feed.craftedsignal.io/briefs/2024-01-cscript-wscript-dropper/"}],"language":"en","title":"CraftedSignal Threat Feed — File-Creation","version":"https://jsonfeed.org/version/1.1"}