detection.wiki

Detection rules › Splunk

Windows File Without Extension In Critical Folder

Author
Teoderick Contreras, Bhavin Patel, Splunk
Source
upstream

This analytic detects the creation of files without extensions in critical Windows system and driver-related directories, including but not limited to System32\Drivers, Windows\WinSxS, and other known Windows driver storage and loading paths. The detection has been expanded to comprehensively cover all commonly abused and legitimate Windows driver folder locations, increasing visibility into attempts to stage or deploy kernel-mode components. The analytic leverages telemetry from the Endpoint.Filesystem data model, with a focus on file creation events and file path analysis. File creation activity in these directories—particularly involving extensionless files—is highly suspicious, as it may indicate the presence of destructive or stealthy malware. This behavior is consistent with malware families such as HermeticWiper, which deploy kernel driver components into trusted Windows driver directories to obtain low-level access and execute destructive payloads. If confirmed malicious, this activity can result in severe system compromise, including the deployment of malicious drivers, boot-sector or filesystem destruction, and ultimately system inoperability and irreversible data loss.

MITRE ATT&CK coverage

TacticTechniques
ImpactT1485 Data Destruction

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: tstats

tstats WHERE Filesystem.file_path IN ("*:\\Windows\\WinSxS\\*", "*\\Program Files*", "*\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*", "*\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*", "*\\System32\\Boot\\*", "*\\System32\\Recovery\\*", "*\\System32\\drivers\\*", "*\\WINDOWS\\System32\\DriverStore\\*", "*\\WINDOWS\\inf\\*", "*\\Windows\\Boot\\*", "*\\Windows\\ELAMBKUP\\*", "*\\Windows\\servicing\\*", "*\\syswow64\\drivers\\*", "C:\\AMD\\*", "C:\\OEM\\*") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product

Stage 2: search

search

Stage 3: rex

rex field="file_name" ...

Stage 4: where

where isnull(extension)

Stage 5: search

search

Stage 6: search

search

Stage 7: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Filesystem.file_pathin
  • "*:\\Windows\\WinSxS\\*"
  • "*\\Program Files*"
  • "*\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*"
  • "*\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*"
  • "*\\System32\\Boot\\*"
  • "*\\System32\\Recovery\\*"
  • "*\\System32\\drivers\\*"
  • "*\\WINDOWS\\System32\\DriverStore\\*"
  • "*\\WINDOWS\\inf\\*"
  • "*\\Windows\\Boot\\*"
  • "*\\Windows\\ELAMBKUP\\*"
  • "*\\Windows\\servicing\\*" corpus 3 (splunk 3)
  • "*\\syswow64\\drivers\\*"
  • "C:\\AMD\\*"
  • "C:\\OEM\\*"