Try in Splunk Security Cloud


The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin to detect potential threats earlier and mitigate the risks. This detection is made by a Splunk query that utilizes the Endpoint.Filesystem data model and the Endpoint.Processes data model. The query looks for any process writing to the "$Recycle.Bin" file path, excluding explorer.exe. This detection is important because it suggests that an attacker is attempting to hide their activities by using the Recycle Bin, which can lead to data theft, ransomware, or other damaging outcomes. Detecting writes to the Recycle Bin by a process other than explorer.exe can help to investigate and determine if the activity is malicious or benign. False positives might occur since there might be legitimate uses of the Recycle Bin by processes other than explorer.exe. Next steps include reviewing the process writing to the Recycle Bin and any relevant on-disk artifacts upon triage.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-11-07
  • Author: Rico Valdez, Splunk
  • ID: b5541828-8ffd-4070-9d95-b3da4de924cb




ID Technique Tactic
T1036 Masquerading Defense Evasion
Kill Chain Phase
  • Exploitation
  • DE.CM
  • CIS 10
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" by Filesystem.process_name Filesystem.process_id Filesystem.dest 
| `drop_dm_object_name("Filesystem")` 
| join  process_id [
| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest 
| `drop_dm_object_name("Processes")` 
| table user process_name process_id dest] 
| `suspicious_writes_to_windows_recycle_bin_filter`


The SPL above uses the following Macros:

:information_source: suspicious_writes_to_windows_recycle_bin_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Filesystem.file_path
  • Filesystem.file_name
  • Filesystem.process_id
  • Filesystem.dest
  • Processes.user
  • Processes.process_name
  • Processes.parent_process_name
  • Processes.process_id
  • Processes.dest

How To Implement

To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the Endpoint datamodel in the Processes and Filesystem nodes.

Known False Positives

Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.

Associated Analytic Story


Risk Score Impact Confidence Message
28.0 40 70 Suspicious writes to windows Recycle Bin process $process_name$ on $dest$

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2