SigmaHQ/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml

title: New RUN Key Pointing to Suspicious Folder
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
author: Florian Roth
date: 2017/10/17
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 13
        TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*'
        Details: 
          - 'C:\Windows\Temp\*'
          - '*\AppData\*'
          - 'C:\$Recycle.bin\*'
          - 'C:\Temp\*'
          - 'C:\Users\Public\*'
          - 'C:\Users\Default\*'
    condition: selection
fields:
    - Image
falsepositives:
    - Software with rare behaviour
level: high
Rule: New RUN Key Pointing to Suspicious Folder 2017-10-17 14:19:56 +00:00			`title: New RUN Key Pointing to Suspicious Folder`
			`status: experimental`
			`description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder`
			`author: Florian Roth`
			`date: 2017/10/17`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 13`
			`TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*'`
			`Details:`
			`- 'C:\Windows\Temp\*'`
			`- '\AppData\'`
			`- 'C:\$Recycle.bin\*'`
			`- 'C:\Temp\*'`
			`- 'C:\Users\Public\*'`
			`- 'C:\Users\Default\*'`
			`condition: selection`
			`fields:`
			`- Image`
			`falsepositives:`
			`- Software with rare behaviour`
			`level: high`