Temporary file staging
Malicious or suspicious scripts often stage payloads inside temp directories with randomized names to reduce visibility and bypass simplistic path-based controls.
What to look for
- Generated pathCapture the exact temp file or folder from process creation, PowerShell logging, or EDR telemetry.
- File extensionDetermine whether the staged content is an executable, script, archive, or DLL.
Next actions
- Preserve artifactsCollect the staged file before cleanup or reboot removes the evidence.
- Correlate executionCheck whether the temporary artifact was later executed, loaded, or renamed into a more durable location.