Suspicious writes to windows Recycle Bin
Description
The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the "$Recycle.Bin" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2024-05-18
- Author: Rico Valdez, Splunk
- ID: b5541828-8ffd-4070-9d95-b3da4de924cb
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*" by Filesystem.process_name Filesystem.process_id Filesystem.dest
| `drop_dm_object_name("Filesystem")`
| join process_id [
| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name != "explorer.exe" by Processes.process_id Processes.dest
| `drop_dm_object_name("Processes")`
| table user process_name process_id dest]
| `suspicious_writes_to_windows_recycle_bin_filter`
Macros
The SPL above uses the following Macros:
suspicious_writes_to_windows_recycle_bin_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Filesystem.file_path
- Filesystem.file_name
- Filesystem.process_id
- Filesystem.dest
- Processes.user
- Processes.process_name
- Processes.parent_process_name
- Processes.process_id
- Processes.dest
How To Implement
To successfully implement this search you need to be ingesting information on filesystem and process logs responsible for the changes from your endpoints into the Endpoint
datamodel in the Processes
and Filesystem
nodes.
Known False Positives
Because the Recycle Bin is a hidden folder in modern versions of Windows, it would be unusual for a process other than explorer.exe to write to it. Incidents should be investigated as appropriate.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
28.0 | 40 | 70 | Suspicious writes to windows Recycle Bin process $process_name$ on $dest$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 3