While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|User Execution||Malicious File||Execution||Moderate|
|D3-PSA||Process Spawn Analysis|
Data Model References
Pseudocode – Batch file created in the Windows system32 directory tree (Pseudocode, CAR native)
Pseudocode implementation of the Splunk search below
files = search File:create batch_files = filter files where ( extension =".bat" AND file_path = "C:\Windows\system32*" ) output batch_files
Splunk code (Splunk, Endpoint)
You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
| tstats count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | rex field=file_name "(?<file_extension>\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat
Test Case 1
Configurations: Using Splunk Attack Range
Replay the detection dataset using the Splunk attack range with the commands below
python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
Test Case 2
Configurations: Using Invoke-AtomicRedTeam
execute the atomic test T1204.002 against a Windows target.