Detectionhightest
Windows Shell/Scripting Application File Write to Suspicious Folder
Detects Windows shells and scripting applications that write files to suspicious folders
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Sat Nov 20Updated Wed Mar 291277f594-a7d1-4f28-a2d3-73af5cbeab43windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection_1:
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\powershell.exe'
- '\pwsh.exe'
- '\sh.exe'
- '\wscript.exe'
TargetFilename|startswith:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
selection_2:
Image|endswith:
- '\certutil.exe'
- '\forfiles.exe'
- '\mshta.exe'
# - '\rundll32.exe' # Potential FP
- '\schtasks.exe'
- '\scriptrunner.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
TargetFilename|contains:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
condition: 1 of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
1
Resolving title…
Internal ResearchMITRE ATT&CK
Tactics
Rule Metadata
Rule ID
1277f594-a7d1-4f28-a2d3-73af5cbeab43
Status
test
Level
high
Type
Detection
Created
Sat Nov 20
Modified
Wed Mar 29
Path
rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
Raw Tags
attack.executionattack.t1059