SigmaHQ/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
2019-11-12 23:12:27 +01:00

40 lines
1.2 KiB
YAML

title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
author: Florian Roth, Markus Neis
tags:
- attack.persistence
- attack.t1060
date: 2018/25/08
modified: 2019/10/01
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*'
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*'
Details:
- '*C:\Windows\Temp\\*'
- '*\AppData\\*'
- '%AppData%\\*'
- '*C:\$Recycle.bin\\*'
- '*C:\Temp\\*'
- '*C:\Users\Public\\*'
- '%Public%\\*'
- '*C:\Users\Default\\*'
- '*C:\Users\Desktop\\*'
- 'wscript*'
- 'cscript*'
condition: selection
fields:
- Image
falsepositives:
- Software with rare behaviour
level: high