Attack Chain

1. A malicious script (e.g., PowerShell, VBScript) is downloaded or dropped into a temporary directory such as C:\Windows\Temp, \AppData\Local\Temp, or similar.
2. The attacker uses a process like cmd.exe or powershell.exe to invoke the downloaded script.
3. The script executes, potentially performing reconnaissance, privilege escalation, or lateral movement.
4. The script may download additional payloads from a remote server.
5. The script establishes persistence through registry modification or scheduled tasks.
6. The script performs malicious actions such as data exfiltration or ransomware deployment.
7. The attacker attempts to remove the initial script files to cover their tracks.

Impact

Successful exploitation can lead to a range of consequences, including data theft, system compromise, and ransomware infection. The execution of malicious scripts from temporary directories can provide attackers with a foothold in the network, allowing them to move laterally, escalate privileges, and ultimately achieve their objectives. Depending on the script’s capabilities, it could also lead to system instability or denial of service.

Recommendation

• Deploy the Sigma rule “Suspicious Script Execution From Temp Folder” to your SIEM to detect script execution from temporary directories. Tune the rule’s filters for known-good software installers in your environment to reduce false positives.
• Enable process creation logging with command line arguments to capture the necessary information for the Sigma rule (logsource: process_creation).
• Investigate any alerts generated by the Sigma rule, focusing on the parent process and the script’s actions.
• Implement application control policies to restrict the execution of scripts from temporary directories where possible.