Techniques
Sample rules
New RUN Key Pointing to Suspicious Folder
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects suspicious new RUN key element pointing to an executable in a suspicious folder
Detection logic
condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*
)) and not 1 of filter_main_*
filter_main_windows_update:
Details|contains:
- \AppData\Local\Temp\
- C:\Windows\Temp\
Details|contains|all:
- 'rundll32.exe '
- C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32
Image|startswith: C:\Windows\SoftwareDistribution\Download\
TargetObject|contains: \Microsoft\Windows\CurrentVersion\RunOnce\
selection_suspicious_paths_1:
Details|contains:
- :\Perflogs
- :\ProgramData'
- :\Windows\Temp
- :\Temp
- \AppData\Local\Temp
- \AppData\Roaming
- :\$Recycle.bin
- :\Users\Default
- :\Users\public
- '%temp%'
- '%tmp%'
- '%Public%'
- '%AppData%'
selection_suspicious_paths_user_1:
Details|contains: :\Users\
selection_suspicious_paths_user_2:
Details|contains:
- \Favorites
- \Favourites
- \Contacts
- \Music
- \Pictures
- \Documents
- \Photos
selection_target:
TargetObject|contains:
- \Software\Microsoft\Windows\CurrentVersion\Run
- \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
- \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run