WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Overlap Between “Executables Or Script Creation In Temp Path” and “Executables Or Script Creation In Suspicious Path” #3805

New issue
New issue
Open
Bug
Open
Overlap Between “Executables Or Script Creation In Temp Path” and “Executables Or Script Creation In Suspicious Path”#3805
Bug
Assignees
nasbench
Labels
bugSomething isn't working
@thegreatmhn

Description

@thegreatmhn
thegreatmhn
opened on Nov 25, 2025

Hi Splunk Team,

While reviewing the ESCU content, I noticed a functional overlap between the following two detections:

Executables Or Script Creation In Temp Path

Executables Or Script Creation In Suspicious Path

Both scenarios focus on detecting executable or script file creation in suspicious or abnormal locations. In practice, the Temp-path detection is a narrow subset of the more general suspicious-path rule. Because of this, they can be merged into a single consolidated detection without losing coverage.

Proposed Final Unified Scenario

Here is the combined search logic that accurately represents both use cases:

| tstats security_content_summariesonly values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Filesystem
where Filesystem.file_name IN (".exe", ".dll", ".sys", ".com", ".vbs", ".vbe", ".js", ".ps1", ".bat", ".cmd", ".pif", ".msc")
AND Filesystem.file_path IN ("\windows\fonts\", "\windows\temp\", "\users\public\", "\windows\debug\", "\Users\Administrator\Music\", "\Windows\servicing\", "\Users\Default\", "Recycle.bin", "\Windows\Media\", "\Windows\repair\", "\PerfLogs\", "\AppData\Local\Temp\")
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
| drop_dm_object_name(Filesystem)
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| executables_or_script_creation_in_suspicious_path_filter

Additional Technical Note

The path C:\Windows\Temp is not a world-writable directory.
Because of this, treating it as a “world-writable high-risk location” in the filter logic of the original scenario is not accurate.
To avoid false assumptions and improve detection quality, this directory should not be categorized as world-writable.

Request

I recommend merging the two detections into one consolidated rule using the SPL above and adjusting the filter logic to remove the assumption that C:\Windows\Temp is world-writable.

Thank you! Let me know if any additional details are needed.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions