Suspicious File Creation In Uncommon AppData Folder

Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Sigma rule (View on GitHub)

 1title: Suspicious File Creation In Uncommon AppData Folder
 2id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
 3status: test
 4description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-08-05
 9modified: 2023-02-23
10tags:
11    - attack.defense-evasion
12    - attack.execution
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        TargetFilename|startswith: 'C:\Users\'
19        TargetFilename|contains: '\AppData\'
20        TargetFilename|endswith:
21            # Add more as needed
22            - '.bat'
23            - '.cmd'
24            - '.cpl'
25            - '.dll'
26            - '.exe'
27            - '.hta'
28            - '.iso'
29            - '.lnk'
30            - '.msi'
31            - '.ps1'
32            - '.psm1'
33            - '.scr'
34            - '.vbe'
35            - '.vbs'
36    filter_main:
37        TargetFilename|startswith: 'C:\Users\'
38        TargetFilename|contains:
39            - '\AppData\Local\'
40            - '\AppData\LocalLow\'
41            - '\AppData\Roaming\'
42    condition: selection and not filter_main
43falsepositives:
44    - Unlikely
45level: high

References

Related rules

to-top