Suspicious writes to windows Recycle Bin
This search detects writes to the recycle bin by a process other than explorer.exe.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-07-22
- Author: Rico Valdez, Splunk
- ID: b5541828-8ffd-4070-9d95-b3da4de924cb
Kill Chain Phase
- CIS 10
1 2 3 4 5 6 7 8 | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" by Filesystem.process_id Filesystem.dest | `drop_dm_object_name("Filesystem")` | search [ | tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | table process_id dest] | `suspicious_writes_to_windows_recycle_bin_filter`
The SPL above uses the following Macros:
suspicious_writes_to_windows_recycle_bin_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the
Endpoint datamodel in the
Known False Positives
Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.
Associated Analytic Story
|28.0||40||70||Suspicious writes to windows Recycle Bin process $Processes.process_name$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Replay any dataset to Splunk Enterprise by using our
replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 4