While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
User Execution Malicious File Execution Moderate

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis

Data Model References

Object Action Field
file create extension
file create file_path


Pseudocode – Batch file created in the Windows system32 directory tree (Pseudocode, CAR native)

Pseudocode implementation of the Splunk search below

files = search File:create
batch_files = filter files where (
  extension =".bat" AND file_path = "C:\Windows\system32*" )
output batch_files

Splunk code (Splunk, Endpoint)

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

| tstats count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path   | rex field=file_name "(?<file_extension>\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat

Unit Tests

Test Case 1

Configurations: Using Splunk Attack Range

Replay the detection dataset using the Splunk attack range with the commands below

python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]

Test Case 2

Configurations: Using Invoke-AtomicRedTeam

execute the atomic test T1204.002 against a Windows target.

Invoke-AtomicTest T1204.002