Suspicious Script Execution From Temp Folder

Detects a suspicious script executions from temporary folder

Sigma rule (View on GitHub)

 1title: Suspicious Script Execution From Temp Folder
 2id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
 3status: test
 4description: Detects a suspicious script executions from temporary folder
 5references:
 6    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 7author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
 8date: 2021/07/14
 9modified: 2022/10/05
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith:
19            - '\powershell.exe'
20            - '\pwsh.exe'
21            - '\mshta.exe'
22            - '\wscript.exe'
23            - '\cscript.exe'
24        CommandLine|contains:
25            - '\Windows\Temp'
26            - '\Temporary Internet'
27            - '\AppData\Local\Temp'
28            - '\AppData\Roaming\Temp'
29            - '%TEMP%'
30            - '%TMP%'
31            - '%LocalAppData%\Temp'
32    filter:
33        CommandLine|contains:
34            - ' >'
35            - 'Out-File'
36            - 'ConvertTo-Json'
37            - '-WindowStyle hidden -Verb runAs'  # VSCode behaviour if file cannot be written as current user
38            - '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\' # EC2 AWS
39    condition: selection and not filter
40falsepositives:
41    - Administrative scripts
42level: high

References

Related rules

to-top