Techniques
Sample rules
Suspicious Execution From GUID Like Folder Names
- source: sigma
- technicques:
- t1027
Description
Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks
Detection logic
condition: all of selection_* and not 1 of filter*
filter:
Image|contains|all:
- \{
- '}\'
filter_driver_inst:
Image: C:\Windows\System32\drvinst.exe
filter_null:
Image: null
selection_folder:
CommandLine|contains:
- \AppData\Roaming\
- \AppData\Local\Temp\
selection_guid:
CommandLine|contains|all:
- \{
- '}\'