Executable Launched from Windows Temp Directory
Detects processes executing from Windows temporary directories — a common indicator of malware droppers, ransomware payload staging, and post-exploitation download-and-execute patterns. Beginner-friendly detection query for initial triage of suspicious execution paths, covering AppData Temp, Windows Temp, and root Temp locations
Malwaretemp-directorymalware-stagingexecutionbeginnerransomwareT1204.002T1036.005
FDR Beginnerby darkreitor 1 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| ImageFileName=/(?i)(\\Temp\\|\\AppData\\Local\\Temp\\|\\Windows\\Temp\\)/
| not ImageFileName=/(?i)(MsiExec|setup\.exe|install\.exe|update\.exe|deploy)/
| groupBy([ComputerName, UserName, FileName, ImageFileName], function=count(as=exec_count))
| sort(exec_count, order=desc, limit=100)Explanation
| Pipe | Descripción | ||||
|---|---|---|---|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Selects process creation events from the FDR sensor feed | ||||
| `ImageFileName=/(?i)(\\Temp\\\ | \\AppData\\Local\\Temp\\\ | \\Windows\\Temp\\)/` | Matches the full image path containing known Windows temp directories — the most common malware drop and staging locations | ||
| `not ImageFileName=/(?i)(MsiExec\ | setup\.exe\ | install\.exe\ | update\.exe\ | deploy)/` | Excludes common legitimate Windows installer executables to reduce false positives from routine software updates and deployments |
groupBy([ComputerName, UserName, FileName, ImageFileName], function=count(as=exec_count)) | Groups by host, user, process name, and full path — provides all context needed for analyst investigation without drill-down | ||||
sort(exec_count, order=desc, limit=100) | Surfaces the 100 most frequent temp-directory executions across all endpoints for bulk SOC triage |
Adjustable Variables
Exclusion list: add organization-specific update tools (e.g., yourvendor_update.exe) to not ImageFileName regex to reduce noise. File extension filter: add FileName=/\.exe$/ to restrict to executable files only. Add CommandLine to groupBy for additional execution context during active incidents.