splunk · tccontre · Apr 21, 2026 · Apr 21, 2026
@@ -1,36 +1,58 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
 version: 26
-date: '2026-04-16'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: 'The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems.
-
-    It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\).
-
-    This activity can be significant as adversaries often use these paths to evade detection and maintain persistence.
-
-    If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
-
-'
+description: The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem dataset to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
 data_source:
     - Sysmon EventID 11
-search: "| tstats `security_content_summariesonly`\n  count min(_time) as firstTime\n        max(_time) as lastTime\n\nfrom datamodel=Endpoint.Filesystem where\n\nFilesystem.file_name IN (\n  \"*.bat\",\n  \"*.cmd\",\n  \"*.com\",\n  \"*.dll\",\n  \"*.exe\",\n  \"*.js\",\n  \"*.msc\",\n  \"*.pif\",\n  \"*.ps1\",\n  \"*.sys\",\n  \"*.vbe\",\n  \"*.vbs\"\n)\nFilesystem.file_path IN (\n  \"*\\\\PerfLogs\\\\*\",\n  \"*\\\\Users\\\\Administrator\\\\Music\\\\*\",\n  \"*\\\\Users\\\\Default\\\\*\",\n  \"*\\\\Users\\\\Public\\\\*\",\n  \"*\\\\Windows\\\\debug\\\\*\",\n  \"*\\\\Windows\\\\fonts\\\\*\",\n  \"*\\\\Windows\\\\Media\\\\*\",\n  \"*\\\\Windows\\\\repair\\\\*\",\n  \"*\\\\Windows\\\\servicing\\\\*\",\n  \"*Recycle.bin*\",\n  \"*:\\\\inetpub\\\\*\"\n)\n\nby Filesystem.action Filesystem.dest Filesystem.file_access_time\n   Filesystem.file_create_time Filesystem.file_hash\n   Filesystem.file_modify_time Filesystem.file_name\n   Filesystem.file_path Filesystem.file_acl Filesystem.file_size\n   Filesystem.process_guid Filesystem.process_id Filesystem.user\n   Filesystem.vendor_product\n| `drop_dm_object_name(Filesystem)`\n| `security_content_ctime(firstTime)`\n| `security_content_ctime(lastTime)`\n| `executables_or_script_creation_in_suspicious_path_filter`\n"
-how_to_implement: 'To successfully implement this search you need to be ingesting
-
-    information on process that include the name of the Filesystem responsible for
-
-    the changes from your endpoints into the `Endpoint` datamodel in the
-
-    `Filesystem` node.
-
-'
-known_false_positives: 'Some false positives may arise from paths like Recycle.bin and \Users\Public.
-
-    Other than that executable creation and certain script extensions in these suspicious paths should be less common.
-
-'
+search: |-
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+    from datamodel=Endpoint.Filesystem where
+    Filesystem.file_name IN (
+      "*.bat",
+      "*.cmd",
+      "*.com",
+      "*.dll",
+      "*.exe",
+      "*.js",
+      "*.msc",
+      "*.pif",
+      "*.ps1",
+      "*.sys",
+      "*.vbe",
+      "*.vbs"
+    )
+    Filesystem.file_path IN (
+      "*\\PerfLogs\\*",
+      "*\\Users\\Administrator\\Music\\*",
+      "*\\Users\\Default\\*",
+      "*\\Users\\Public\\*",
+      "*\\Windows\\debug\\*",
+      "*\\Windows\\fonts\\*",
+      "*\\Windows\\Media\\*",
+      "*\\Windows\\repair\\*",
+      "*\\Windows\\servicing\\*",
+      "*Recycle.bin*",
+      "*:\\inetpub\\*"
+      "*\\Microsoft\\Windows\\Libraries\\*"
+    )
+    by Filesystem.action Filesystem.dest Filesystem.file_access_time
+       Filesystem.file_create_time Filesystem.file_hash
+       Filesystem.file_modify_time Filesystem.file_name
+       Filesystem.file_path Filesystem.file_acl Filesystem.file_size
+       Filesystem.process_guid Filesystem.process_id Filesystem.user
+       Filesystem.vendor_product
+    | `drop_dm_object_name(Filesystem)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `executables_or_script_creation_in_suspicious_path_filter`
+how_to_implement: To successfully implement this search you need to be ingestinginformation on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
+known_false_positives: Some false positives may arise from paths like Recycle.bin and \Users\Public. Other than that executable creation and certain script extensions in these suspicious paths should be less common.
 references:
     - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
     - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
@@ -115,6 +137,7 @@ tags:
         - XML Runner Loader
         - Void Manticore
         - Axios Supply Chain Post Compromise
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1036

@@ -1,26 +1,44 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
 version: 22
-date: '2026-04-16'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: 'The following analytic identifies the creation of executables or scripts in temporary file paths on Windows systems.
-
-    It leverages the Endpoint.Filesystem data set to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in temporary directories (e.g., \windows\Temp\, \AppData\Local\Temp\).
-
-    This activity can be significant as adversaries often use these paths to evade detection and maintain persistence.
-
-    If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
-
-'
+description: The following analytic identifies the creation of executables or scripts in temporary file paths on Windows systems. It leverages the Endpoint.Filesystem data set to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in temporary directories (e.g., \windows\Temp\, \AppData\Local\Temp\). This activity can be significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
 data_source:
     - Sysmon EventID 11
-search: "| tstats `security_content_summariesonly`\n  count min(_time) as firstTime\n        max(_time) as lastTime\n\nfrom datamodel=Endpoint.Filesystem where\n\nFilesystem.action=\"created\"\nFilesystem.file_name IN (\n  \"*.bat\",\n  \"*.cmd\",\n  \"*.com\",\n  \"*.dll\",\n  \"*.exe\",\n  \"*.js\",\n  \"*.msc\",\n  \"*.pif\",\n  \"*.ps1\",\n  \"*.sys\",\n  \"*.vbe\",\n  \"*.vbs\"\n)\nFilesystem.file_path IN (\n  \"*:\\\\Temp\\\\*\",\n  \"*:\\\\Windows\\\\Temp\\\\*\",\n  \"*\\\\AppData\\\\Local\\\\Temp\\\\*\",\n)\nNOT Filesystem.file_path IN (\n  \"*\\\\__PSScriptPolicyTest_*\",\n)\nby Filesystem.action Filesystem.dest Filesystem.file_access_time\n   Filesystem.file_create_time Filesystem.file_hash\n   Filesystem.file_modify_time Filesystem.file_name\n   Filesystem.file_path Filesystem.file_acl Filesystem.file_size\n   Filesystem.process_guid Filesystem.process_id Filesystem.user\n   Filesystem.vendor_product\n| `drop_dm_object_name(Filesystem)`\n| `security_content_ctime(firstTime)`\n| `security_content_ctime(lastTime)`\n| `executables_or_script_creation_in_temp_path_filter`\n"
+search: |-
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime max(_time) as lastTime
+      from datamodel=Endpoint.Filesystem
+      where Filesystem.action= "created"
+      Filesystem.file_name IN (
+        "*.bat",
+        "*.cmd",
+        "*.com",
+        "*.dll",
+        "*.exe",
+        "*.js",
+        "*.msc",
+        "*.pif",
+        "*.ps1",
+        "*.sys",
+        "*.vbe",
+        "*.vbs") AND
+      Filesystem.file_path IN (
+        "*:\\Temp\\*",
+        "*:\\Windows\\Temp\\*",
+        "*\\AppData\\Local\\Temp\\*"
+        )
+      AND NOT Filesystem.file_path IN ("*\\__PSScriptPolicyTest_*",)
+      by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
+      | `drop_dm_object_name(Filesystem)`
+      | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`
+      | `executables_or_script_creation_in_temp_path_filter`
 how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
-known_false_positives: 'Executable creation and certain script extensions in temporary paths can very common in certain environments and legitimate use cases. It is important to review and filter these events based on your organization''s normal activity and policies.
-
-'
+known_false_positives: Executable creation and certain script extensions in temporary paths can very common in certain environments and legitimate use cases. It is important to review and filter these events based on your organization''s normal activity and policies.
 references:
     - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
     - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
@@ -98,6 +116,7 @@ tags:
         - XML Runner Loader
         - Void Manticore
         - Axios Supply Chain Post Compromise
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1036

@@ -1,7 +1,7 @@
 name: Hiding Files And Directories With Attrib exe
 id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1
 version: 16
-date: '2026-04-15'
+date: '2026-04-21'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -54,6 +54,7 @@ tags:
         - Compromised Windows Host
         - Windows Defense Evasion Tactics
         - Crypto Stealer
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1222.001

@@ -1,7 +1,7 @@
 name: Logon Script Event Trigger Execution
 id: 4c38c264-1f74-11ec-b5fa-acde48001122
 version: 10
-date: '2026-04-15'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -38,6 +38,7 @@ tags:
         - Windows Privilege Escalation
         - Hermetic Wiper
         - Windows Persistence Techniques
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1037.001

@@ -1,7 +1,7 @@
 name: Non Chrome Process Accessing Chrome Default Dir
 id: 81263de4-160a-11ec-944f-acde48001122
 version: 16
-date: '2026-04-15'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -49,6 +49,7 @@ tags:
         - China-Nexus Threat Activity
         - Lokibot
         - BlankGrabber Stealer
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1555.003

@@ -1,7 +1,7 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
 version: 16
-date: '2026-04-15'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -51,6 +51,7 @@ tags:
         - 0bj3ctivity Stealer
         - Lokibot
         - BlankGrabber Stealer
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1555.003

@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
 version: 18
-date: '2026-04-16'
+date: '2026-04-21'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -52,6 +52,7 @@ tags:
         - NetSupport RMM Tool Abuse
         - MuddyWater
         - Axios Supply Chain Post Compromise
+        - VIP Keylogger
     mitre_attack_id:
         - T1027
         - T1059.001

@@ -1,7 +1,7 @@
 name: PowerShell Loading DotNET into Memory via Reflection
 id: 85bc3f30-ca28-11eb-bd21-acde48001122
 version: 16
-date: '2026-04-16'
+date: '2026-04-21'
 author: Michael Haag, Teoderick Contreras Splunk
 status: production
 type: Anomaly
@@ -24,9 +24,7 @@ search: '`powershell` EventCode=4104 ScriptBlockText IN ("*Reflection.Assembly]:
 
     | `security_content_ctime(lastTime)`
 
-    | `powershell_loading_dotnet_into_memory_via_reflection_filter`
-
-'
+    | `powershell_loading_dotnet_into_memory_via_reflection_filter` '
 how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
 known_false_positives: False positives should be limited as day to day scripts do not use this method.
 references:
@@ -65,6 +63,7 @@ tags:
         - 0bj3ctivity Stealer
         - Hellcat Ransomware
         - Axios Supply Chain Post Compromise
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.001

@@ -1,7 +1,7 @@
 name: Recon Using WMI Class
 id: 018c1972-ca07-11eb-9473-acde48001122
 version: 14
-date: '2026-04-16'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -54,6 +54,7 @@ tags:
         - Scattered Spider
         - BlankGrabber Stealer
         - Axios Supply Chain Post Compromise
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1592

@@ -1,7 +1,7 @@
 name: Windows Credential Access From Browser Password Store
 id: 72013a8e-5cea-408a-9d51-5585386b4d69
 version: 19
-date: '2026-04-15'
+date: '2026-04-21'
 author: Teoderick Contreras, Bhavin Patel Splunk
 data_source:
     - Windows Event Log Security 4663
@@ -48,6 +48,7 @@ tags:
         - 0bj3ctivity Stealer
         - Scattered Lapsus$ Hunters
         - BlankGrabber Stealer
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1012

@@ -1,7 +1,7 @@
 name: Windows Credentials from Password Stores Chrome LocalState Access
 id: 3b1d09a8-a26f-473e-a510-6c6613573657
 version: 19
-date: '2026-04-15'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -53,6 +53,7 @@ tags:
         - Lokibot
         - Scattered Lapsus$ Hunters
         - BlankGrabber Stealer
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1012

@@ -1,7 +1,7 @@
 name: Windows Credentials from Password Stores Chrome Login Data Access
 id: 0d32ba37-80fc-4429-809c-0ba15801aeaf
 version: 19
-date: '2026-04-15'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -53,6 +53,7 @@ tags:
         - Lokibot
         - Scattered Lapsus$ Hunters
         - BlankGrabber Stealer
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1012

@@ -1,7 +1,7 @@
 name: Windows Powershell Cryptography Namespace
 id: f8b482f4-6d62-49fa-a905-dfa15698317b
 version: 13
-date: '2026-04-15'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -47,6 +47,7 @@ tags:
     analytic_story:
         - AsyncRAT
         - XWorm
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.001

@@ -1,7 +1,7 @@
 name: Windows Screen Capture in TEMP folder
 id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c
 version: 10
-date: '2026-04-15'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 data_source:
     - Sysmon EventID 11
@@ -37,6 +37,7 @@ tags:
         - Braodo Stealer
         - APT37 Rustonotto and FadeStealer
         - Hellcat Ransomware
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1113

@@ -1,7 +1,7 @@
 name: Windows Suspicious Process File Path
 id: ecddae4e-3d4b-41e2-b3df-e46a88b38521
 version: 22
-date: '2026-04-16'
+date: '2026-04-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -93,6 +93,7 @@ tags:
         - SesameOp
         - Void Manticore
         - Axios Supply Chain Post Compromise
+        - VIP Keylogger
     asset_type: Endpoint
     mitre_attack_id:
         - T1543