{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/temp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["execution","script","temp"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies suspicious script executions originating from temporary directories. Threat actors often leverage temporary folders to stage and execute malicious scripts, such as PowerShell, VBScript, or even HTML applications (MSHTA) to evade detection or bypass security controls. These scripts can be delivered through various means, including phishing attacks, drive-by downloads, or as part of a multi-stage malware infection. The execution of scripts from temporary directories is generally uncommon for legitimate software, making it a valuable indicator of potentially malicious activity. This detection focuses on identifying processes like powershell.exe, pwsh.exe, mshta.exe, wscript.exe, and cscript.exe executing from or referencing standard temporary paths in their command line.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious script (e.g., PowerShell, VBScript) is downloaded or dropped into a temporary directory such as \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e, \u003ccode\u003e\\AppData\\Local\\Temp\u003c/code\u003e, or similar.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a process like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to invoke the downloaded script.\u003c/li\u003e\n\u003cli\u003eThe script executes, potentially performing reconnaissance, privilege escalation, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe script may download additional payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove the initial script files to cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of consequences, including data theft, system compromise, and ransomware infection. The execution of malicious scripts from temporary directories can provide attackers with a foothold in the network, allowing them to move laterally, escalate privileges, and ultimately achieve their objectives. Depending on the script\u0026rsquo;s capabilities, it could also lead to system instability or denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Script Execution From Temp Folder\u0026rdquo; to your SIEM to detect script execution from temporary directories. Tune the rule\u0026rsquo;s filters for known-good software installers in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the necessary information for the Sigma rule (logsource: process_creation).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process and the script\u0026rsquo;s actions.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of scripts from temporary directories where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:30:00Z","date_published":"2024-01-02T14:30:00Z","id":"/briefs/2024-01-script-exec-temp/","summary":"This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.","title":"Suspicious Script Execution from Temporary Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-script-exec-temp/"}],"language":"en","title":"CraftedSignal Threat Feed — Temp","version":"https://jsonfeed.org/version/1.1"}