AdSearch Startup Folder Persistence File Creation (RedCanary Threat Detection Report)
Detects file creations by cscript in the startup folder, associated with AdSearch. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: AdSearch Startup Folder Persistence File Creation (RedCanary Threat Detection Report)
2id: 739d97f7-96e3-4e96-aebb-574b4f19d034
3status: experimental
4description: Detects file creations by cscript in the startup folder, associated with AdSearch. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/adsearch/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.persistence
11 - attack.t1547.001
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\cscript.exe'
18 TargetFilename|contains: 'start menu\programs\startup'
19 condition: selection
20falsepositives:
21 - Rule is likely to require tuning to exclude normal, authorized activity
22level: low```
References
-
This browser hijacker threat went through several evolutions in 2023, challenging our assumptions and allowing us to refine our analysis.
Read More
Related rules
- AdSearch Reg Runkey Persistence Execution (RedCanary Threat Detection Report)
- Direct Autorun Keys Modification
- Startup Folder File Write
- Potential Persistence Attempt Via Run Keys Using Reg.EXE
- Suspicious Run Key from Download