SigmaHQ/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
2017-10-17 16:19:56 +02:00

26 lines
702 B
YAML

title: New RUN Key Pointing to Suspicious Folder
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
author: Florian Roth
date: 2017/10/17
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*'
Details:
- 'C:\Windows\Temp\*'
- '*\AppData\*'
- 'C:\$Recycle.bin\*'
- 'C:\Temp\*'
- 'C:\Users\Public\*'
- 'C:\Users\Default\*'
condition: selection
fields:
- Image
falsepositives:
- Software with rare behaviour
level: high