I wanted to ask this of the forum, to see if anyone else is doing this. we have been thinking of using a SEP Application & Device Control Policy to monitor for executables launching from temp space. I figure we could monitor places like:
%AppData%\*
%LocalAppData%\*
C:\ProgramData\*
%ProgramData%\*
........ [etc]
The idea would be we would be able to see "strange" executables that get launched on an endpoint from this space. I know that a lot of these would be false positives, but we would be able to see malicious executables that get launched from these locations as well.
We were also thinking of adding the .exe, .dll, etc. files that metasploit, SET, BEEF, PowerSploit, etc..... use as well. That way we could see if any of these malicious files start running on endpoints.
Any one have any luck with this?