LoFP LoFP / software using weird folders for updates

Techniques

Sample rules

New RUN Key Pointing to Suspicious Folder

Description

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Detection logic

condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*
  )) and not 1 of filter_main_*
filter_main_windows_update:
  Details|contains:
  - \AppData\Local\Temp\
  - C:\Windows\Temp\
  Details|contains|all:
  - 'rundll32.exe '
  - C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32
  Image|startswith: C:\Windows\SoftwareDistribution\Download\
  TargetObject|contains: \Microsoft\Windows\CurrentVersion\RunOnce\
selection_suspicious_paths_1:
  Details|contains:
  - :\Perflogs
  - :\ProgramData'
  - :\Windows\Temp
  - :\Temp
  - \AppData\Local\Temp
  - \AppData\Roaming
  - :\$Recycle.bin
  - :\Users\Default
  - :\Users\public
  - '%temp%'
  - '%tmp%'
  - '%Public%'
  - '%AppData%'
selection_suspicious_paths_user_1:
  Details|contains: :\Users\
selection_suspicious_paths_user_2:
  Details|contains:
  - \Favorites
  - \Favourites
  - \Contacts
  - \Music
  - \Pictures
  - \Documents
  - \Photos
selection_target:
  TargetObject|contains:
  - \Software\Microsoft\Windows\CurrentVersion\Run
  - \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
  - \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run