Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
Sigma rule (View on GitHub)
1title: Suspicious File Creation In Uncommon AppData Folder
2id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
3status: test
4description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/05
9modified: 2023/02/23
10tags:
11 - attack.defense_evasion
12 - attack.execution
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 TargetFilename|startswith: 'C:\Users\'
19 TargetFilename|contains: '\AppData\'
20 TargetFilename|endswith:
21 # Add more as needed
22 - '.bat'
23 - '.cmd'
24 - '.cpl'
25 - '.dll'
26 - '.exe'
27 - '.hta'
28 - '.iso'
29 - '.lnk'
30 - '.msi'
31 - '.ps1'
32 - '.psm1'
33 - '.scr'
34 - '.vbe'
35 - '.vbs'
36 filter_main:
37 TargetFilename|startswith: 'C:\Users\'
38 TargetFilename|contains:
39 - '\AppData\Local\'
40 - '\AppData\LocalLow\'
41 - '\AppData\Roaming\'
42 condition: selection and not filter_main
43falsepositives:
44 - Unlikely
45level: high
References
Related rules
- Arbitrary File Download Via MSPUB.EXE
- Invoke-Obfuscation CLIP+ Launcher - System
- PUA - AdvancedRun Execution
- Remotely Hosted HTA File Executed Via Mshta.EXE
- Service StartupType Change Via PowerShell Set-Service