Detection rules › Splunk
Executable Process from Suspicious Folder (PowerShell)
Detects the execution of executable process spawned by powershell or similar processes from suspicious file locations like temp, appdata, and downloads
MITRE ATT&CK coverage
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '5746.6449'
title: Executable Process from Suspicious Folder
description: 'Detects the execution of executable process spawned by powershell or
similar processes from suspicious file locations like temp, appdata, and downloads.
- Threat Actor Association: Andariel, APT10/menuPass, APT28 (aka.Fancy Bear, Fighting
Ursa, Forest Blizzard, Pawn Storm, TA422, STRONTIUM), APT34/OilRig, Blind Eagle/APT-C-36,
Carbanak, Evilnum, FIN7, FIN8, GoldenJackal, Gorgon Group, Kimsuky, Lazarus, Magic
Hound (aka APT35, Charming Kitten, Phosphorus, and Mint Sandstorm), Mustang Panda
(aka. Stately Taurus//Earth Preta/BRONZE PRESIDENT/TA416/RedDelta), Redfly, TA505,
TA551, UNC2465, Volt Typhoon, WinterVivern/UAC-0114 -- Software Association: Babuk,
BadHatch, Bazar, Blackbyte, Clop, IcedID, Lockbit, MagicRAT, PowerShortShell, PYSA/Mespinoza,
SmokedHAM, SolidBit, RATDispenser, Remcos, TA413, TargetCompany, Trickbot, Trigona,
Yellow Cockatoo/Jupiter Infostealer, Vidar Stealer, WhisperGate - #TrendingThreat
#Russia #Ukraine - Atomics T1574.001 Test#1'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` TERM(EventCode=4104) ("Temporary
Internet Files" OR TERM("TEMP") OR TERM("Downloads") OR TERM("Appdata"))| regex
Path="(?i)Temp|Downloads|Appdata" | eval process_path=Path | table _time, host,
user process, process_*, signature_id, user | bin span=1s | stats values(*) as *
by _time, host '
techniques:
- execution:command and scripting interpreter
- execution:user execution
- execution:command and scripting interpreter:visual basic
- defense-evasion:system binary proxy execution:rundll32
- execution:command and scripting interpreter:javascript
technique_id:
- T1059
- T1204
- T1059.007
- T1218.011
- T1059.005
data_category:
- Process command-line parameters
- PowerShell logs
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` TERM(EventCode=4104) ("Temporary Internet Files" OR TERM("TEMP") OR TERM("Downloads") OR TERM("Appdata"))
Stage 2: regex
| regex Path="(?i)Temp|Downloads|Appdata"
Stage 3: eval
| eval process_path=Path
Stage 4: table
| table _time, host, user process, process_*, signature_id, user
Stage 5: bucket
| bin span=1s
Stage 6: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "Temporary Internet Files" |
| 1 | "TEMP" |
| 1 | "Downloads" |
| 1 | "Appdata" |