Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
Sigma rule (View on GitHub)
1title: Suspicious File Creation In Uncommon AppData Folder
2id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
3status: test
4description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-05
9modified: 2023-02-23
10tags:
11 - attack.defense-evasion
12 - attack.execution
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|startswith: 'C:\Users\'
19 TargetFilename|contains: '\AppData\'
20 TargetFilename|endswith:
21 # Add more as needed
22 - '.bat'
23 - '.cmd'
24 - '.cpl'
25 - '.dll'
26 - '.exe'
27 - '.hta'
28 - '.iso'
29 - '.lnk'
30 - '.msi'
31 - '.ps1'
32 - '.psm1'
33 - '.scr'
34 - '.vbe'
35 - '.vbs'
36 filter_main:
37 TargetFilename|startswith: 'C:\Users\'
38 TargetFilename|contains:
39 - '\AppData\Local\'
40 - '\AppData\LocalLow\'
41 - '\AppData\Roaming\'
42 condition: selection and not filter_main
43falsepositives:
44 - Unlikely
45level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Arbitrary File Download Via MSOHTMED.EXE