software installers downloaded and used by users

t1547
t1547.001
windows
sigma

Techniques

t1547
t1547.001

Sample rules

Suspicious Run Key from Download

source: sigma
technicques:
- t1547
- t1547.001

Description

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

Detection logic

condition: selection
selection:
  Image|contains:
  - \AppData\Local\Packages\Microsoft.Outlook_
  - \AppData\Local\Microsoft\Olk\Attachments\
  - \Downloads\
  - \Temporary Internet Files\Content.Outlook\
  - \Local Settings\Temporary Internet Files\
  TargetObject|contains:
  - \Software\Microsoft\Windows\CurrentVersion\Run
  - \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
  - \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run