Windows Shell/Scripting Application File Write to Suspicious Folder

 1title: Windows Shell/Scripting Application File Write to Suspicious Folder
 2id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
 3status: test
 4description: Detects Windows shells and scripting applications that write files to suspicious folders
 5references:
 6    - Internal Research
 7author: Florian Roth (Nextron Systems)
 8date: 2021-11-20
 9modified: 2023-03-29
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection_1:
18        Image|endswith:
19            - '\bash.exe'
20            - '\cmd.exe'
21            - '\cscript.exe'
22            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
23            - '\powershell.exe'
24            - '\pwsh.exe'
25            - '\sh.exe'
26            - '\wscript.exe'
27        TargetFilename|startswith:
28            - 'C:\PerfLogs\'
29            - 'C:\Users\Public\'
30    selection_2:
31        Image|endswith:
32            - '\certutil.exe'
33            - '\forfiles.exe'
34            - '\mshta.exe'
35            # - '\rundll32.exe' # Potential FP
36            - '\schtasks.exe'
37            - '\scriptrunner.exe'
38            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
39        TargetFilename|contains:
40            - 'C:\PerfLogs\'
41            - 'C:\Users\Public\'
42            - 'C:\Windows\Temp\'
43    condition: 1 of selection_*
44falsepositives:
45    - Unknown
46level: high