Techniques
Sample rules
Suspicious Run Key from Download
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
Detection logic
condition: selection
selection:
Image|contains:
- \AppData\Local\Packages\Microsoft.Outlook_
- \AppData\Local\Microsoft\Olk\Attachments\
- \Downloads\
- \Temporary Internet Files\Content.Outlook\
- \Local Settings\Temporary Internet Files\
TargetObject|contains:
- \Software\Microsoft\Windows\CurrentVersion\Run
- \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
- \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run