title: New RUN Key Pointing to Suspicious Folder
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
author: Florian Roth
date: 2017/10/17
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 13
        TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*'
        Details: 
          - 'C:\Windows\Temp\*'
          - '*\AppData\*'
          - 'C:\$Recycle.bin\*'
          - 'C:\Temp\*'
          - 'C:\Users\Public\*'
          - 'C:\Users\Default\*'
    condition: selection
fields:
    - Image
falsepositives:
    - Software with rare behaviour
level: high