One common technique used by a lot of exploits, malware, and obfuscated software is to dynamically generate or download an executable or DLL file, run it or load it, then delete it. I frequently catch even legitimate software doing this, but I am always curious as to what executable code the authors are trying to hide. Saving those automatically generated files is a core feature of any decent sandbox out there, but in many cases, you see this activity on a production system and don’t know where the file is coming from. Especially if it only happens infrequently, it often doesn’t make sense to try to put the whole system in a sandbox.
So instead, I just use a simple trick with NTFS file permissions. First go to the folder that the executable file is going to be dropped in and edit its permissions (advanced button). Uncheck the “include inheritable permissions” checkbox.
Image may be NSFW.
Clik here to view.
You can hit Remove to drop all of them, then add one new permission giving full control to your user account, or hit Add to convert them to new permissions, and then remove all but the permission giving your account full control.
Then edit that one entry that remains for your user account, and un-check the Delete boxes. Your account will now be able to add new files, but not delete any files that are there or get created in the future.
Image may be NSFW.
Clik here to view.
Now just wait for that file to drop, and it will be preserved in the folder for you to come back later and grab. Since you retained the change permissions privilege, you can simply revert permissions by re-enabling inherited permissions on the folder you modified later and you’ll be back to normal.
