Techniques
Sample rules
Suspicious Run Key from Download
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
Detection logic
condition: selection
selection:
Image|contains:
- \Downloads\
- \Temporary Internet Files\Content.Outlook\
- \Local Settings\Temporary Internet Files\
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\