SigmaHQ/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml

title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
author: Florian Roth, Markus Neis
tags:
    - attack.persistence
    - attack.t1060
date: 2018/25/08
modified: 2019/10/01
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 13
        TargetObject: 
          - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
          - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
        Details:
          - '*C:\Windows\Temp\\*'
          - '*\AppData\\*'
          - '%AppData%\\*'
          - '*C:\$Recycle.bin\\*'
          - '*C:\Temp\\*'
          - '*C:\Users\Public\\*'
          - '%Public%\\*'
          - '*C:\Users\Default\\*'
          - '*C:\Users\Desktop\\*'
          - 'wscript*'
          - 'cscript*'
    condition: selection
fields:
    - Image
falsepositives:
    - Software with rare behaviour
level: high
Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 14:19:56 +00:00			`title: New RUN Key Pointing to Suspicious Folder`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 02ee49e2-e294-4d0f-9278-f5b3212fc588`
Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 14:19:56 +00:00			`status: experimental`
			`description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder`
Added Deskop Location, RunOnce and ATTCK Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7 2018-08-25 15:32:34 +00:00			`references:`
			`- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html`
			`author: Florian Roth, Markus Neis`
			`tags:`
			`- attack.persistence`
Fixed rules 2018-08-26 20:30:47 +00:00			`- attack.t1060`
Added Deskop Location, RunOnce and ATTCK Added C:\Users\tst01\Desktop\unprotected.vbs as seen by FIN7 2018-08-25 15:32:34 +00:00			`date: 2018/25/08`
fix: merged duplicate rules 2019-10-01 14:14:38 +00:00			`modified: 2019/10/01`
Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 14:19:56 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
Rule simplification Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details. 2018-09-28 07:58:50 +00:00			`selection:`
Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 14:19:56 +00:00			`EventID: 13`
Rule simplification Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details. 2018-09-28 07:58:50 +00:00			`TargetObject:`
Escaped '\' to '\\' where required 2019-02-02 23:24:57 +00:00			`- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\'`
			`- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\'`
Fixed rules 2018-08-26 20:30:47 +00:00			`Details:`
fix: merged duplicate rules 2019-10-01 14:14:38 +00:00			`- 'C:\Windows\Temp\\'`
Escaped '\' to '\\' where required 2019-02-02 23:24:57 +00:00			`- '\AppData\\'`
fix: merged duplicate rules 2019-10-01 14:14:38 +00:00			`- '%AppData%\\*'`
			`- 'C:\$Recycle.bin\\'`
			`- 'C:\Temp\\'`
			`- 'C:\Users\Public\\'`
			`- '%Public%\\*'`
			`- 'C:\Users\Default\\'`
			`- 'C:\Users\Desktop\\'`
			`- 'wscript*'`
			`- 'cscript*'`
Rule simplification Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details. 2018-09-28 07:58:50 +00:00			`condition: selection`
Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 14:19:56 +00:00			`fields:`
			`- Image`
			`falsepositives:`
			`- Software with rare behaviour`
			`level: high`