Techniques
Sample rules
New RUN Key Pointing to Suspicious Folder
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects suspicious new RUN key element pointing to an executable in a suspicious folder
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_windows_update:
Details|contains:
- \AppData\Local\Temp\
- C:\Windows\Temp\
Details|contains|all:
- 'rundll32.exe '
- C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32
Image|startswith: C:\Windows\SoftwareDistribution\Download\
TargetObject|contains: \Microsoft\Windows\CurrentVersion\RunOnce\
selection_details:
- Details|contains:
- :\$Recycle.bin\
- :\Temp\
- :\Users\Default\
- :\Users\Desktop\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp\
- '%temp%\'
- '%tmp%\'
- Details|startswith:
- '%Public%\'
- wscript
- cscript
selection_target:
TargetObject|contains:
- \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
- \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\