Adversaries may use scripting tools to write malicious files to suspicious folders as part of persistence or command and control activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware deployment or data exfiltration attempts.
Detection Rule
title: Windows Shell/Scripting Application File Write to Suspicious Folder
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: test
description: Detects Windows shells and scripting applications that write files to suspicious folders
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-20
modified: 2023-03-29
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection_1:
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\powershell.exe'
- '\pwsh.exe'
- '\sh.exe'
- '\wscript.exe'
TargetFilename|startswith:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
selection_2:
Image|endswith:
- '\certutil.exe'
- '\forfiles.exe'
- '\mshta.exe'
# - '\rundll32.exe' # Potential FP
- '\schtasks.exe'
- '\scriptrunner.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
TargetFilename|contains:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
imFileEvent
| where ((TargetFilePath endswith "\\bash.exe" or TargetFilePath endswith "\\cmd.exe" or TargetFilePath endswith "\\cscript.exe" or TargetFilePath endswith "\\msbuild.exe" or TargetFilePath endswith "\\powershell.exe" or TargetFilePath endswith "\\pwsh.exe" or TargetFilePath endswith "\\sh.exe" or TargetFilePath endswith "\\wscript.exe") and (TargetFileName startswith "C:\\PerfLogs\\" or TargetFileName startswith "C:\\Users\\Public\\")) or ((TargetFilePath endswith "\\certutil.exe" or TargetFilePath endswith "\\forfiles.exe" or TargetFilePath endswith "\\mshta.exe" or TargetFilePath endswith "\\schtasks.exe" or TargetFilePath endswith "\\scriptrunner.exe" or TargetFilePath endswith "\\wmic.exe") and (TargetFileName contains "C:\\PerfLogs\\" or TargetFileName contains "C:\\Users\\Public\\" or TargetFileName contains "C:\\Windows\\Temp\\"))Scenario: A system administrator is using PowerShell to generate temporary log files in the C:\Windows\Temp directory as part of a routine system health check.
Filter/Exclusion: Exclude files written to C:\Windows\Temp by processes with the administrative user or system account.
Scenario: A scheduled task runs a VBScript or batch file to update configuration files in the C:\ProgramData folder as part of an application update process.
Filter/Exclusion: Exclude file writes to C:\ProgramData initiated by scheduled tasks with known update-related names or by service accounts.
Scenario: A Windows service (e.g., Windows Update or Task Scheduler) writes to the C:\Windows\SoftwareDistribution folder to store temporary update files.
Filter/Exclusion: Exclude file writes to C:\Windows\SoftwareDistribution by processes with service account or system context.
Scenario: A developer uses Python or Node.js to write output files to the C:\Users\<User>\AppData\Local\Temp directory during testing or debugging.
Filter/Exclusion: Exclude file writes to C:\Users\*\AppData\Local\Temp by processes associated with development tools or IDEs (e.g., Visual Studio, PyCharm).
Scenario: A Group Policy client extension writes files to the C:\Windows\Temp directory during policy processing.
Filter/Exclusion: Exclude file writes to C:\Windows\Temp by processes with Group Policy or PolicyAgent in their command line or process name.