File Creation of Executables in Temp Folders (Event 4663)
Detects creation of files potentially matching attempts to copy executables to temporary directories to hide usage.
Sigma rule (View on GitHub)
1title: File Creation of Executables in Temp Folders (Event 4663)
2id: 069aacee-0176-4bdd-8c8b-09e958b88b70
3status: experimental
4description: Detects creation of files potentially matching attempts to copy executables to temporary directories to hide usage.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
7author: Micah Babinski
8date: 2022/12/11
9tags:
10 - attack.defense_evasion
11 - attack.t1036.003
12 - attack.t1036
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 4663
19 ObjectType: 'File'
20 AccessList: '%%4417'
21 ObjectName|endswith: '.exe'
22 ObjectName|contains:
23 - 'temp'
24 - 'tmp'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high```
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Command or Scripting Interpreter Creating EXE File
- Process Creation without .exe File Extension
- Unexpected Internal Process Name
- Process Executing with Unusual Command Lines
- Process Executing with Unusual Command Lines