#####aid_begin
#description: filescan for malicious file types in all users and system temp directories
#id: aid2201202326
#processtype: query
#category: filesandfolders
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# get-bgchilditemlist
#notes: |-
# file types
# - *.exe
# - *.dll
# - *.scr
# - *.com
# - *.bat
# - *.ps1
# - *.psm1
# - *.psd1
# - *.vbs
# - *.vbe
# - *.js$
# - *.wsh
# - *.hta
# - *.py
# - *.ini
#####aid_end
commands:
- Get-BGChildItemList -SearchPath 'TEMP' -Pattern '\.exe$|\.dll$|\.scr$|\.com$|\.bat$|\.ps1$|\.psm1$|\.psd1$|\.vbs$|\.vbe$|\.js$|\.wsh$\.hta$|\.py$|\.ini$' -Recurse