Query for malicious file types in all users and system temp directories

AID2201202326.YAML

#####aid_begin
#description: filescan for malicious file types in all users and system temp directories
#id: aid2201202326
#processtype: query
#category: filesandfolders
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  get-bgchilditemlist
#notes: |-
#   file types
#       - *.exe
#       - *.dll
#       - *.scr
#       - *.com
#       - *.bat
#       - *.ps1
#       - *.psm1
#       - *.psd1
#       - *.vbs
#       - *.vbe
#       - *.js$
#       - *.wsh
#       - *.hta
#       - *.py
#       - *.ini
#####aid_end
commands:
- Get-BGChildItemList -SearchPath 'TEMP' -Pattern '\.exe$|\.dll$|\.scr$|\.com$|\.bat$|\.ps1$|\.psm1$|\.psd1$|\.vbs$|\.vbe$|\.js$|\.wsh$\.hta$|\.py$|\.ini$' -Recurse

Last updated