SigmaHQ/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
2019-02-03 00:24:57 +01:00

34 lines
1012 B
YAML

title: New RUN Key Pointing to Suspicious Folder
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
author: Florian Roth, Markus Neis
tags:
- attack.persistence
- attack.t1060
date: 2018/25/08
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
Details:
- 'C:\Windows\Temp\\*'
- '*\AppData\\*'
- 'C:\$Recycle.bin\\*'
- 'C:\Temp\\*'
- 'C:\Users\Public\\*'
- 'C:\Users\Default\\*'
- 'C:\Users\Desktop\\*'
condition: selection
fields:
- Image
falsepositives:
- Software with rare behaviour
level: high