Suspicious Files in Default GPO Folder
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Sigma rule (View on GitHub)
1title: Suspicious Files in Default GPO Folder
2id: 5f87308a-0a5b-4623-ae15-d8fa1809bc60
3status: test
4description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
5references:
6 - https://redcanary.com/blog/intelligence-insights-november-2021/
7author: elhoim
8date: 2022-04-28
9tags:
10 - attack.t1036.005
11 - attack.defense-evasion
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 TargetFilename|contains: '\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\'
18 TargetFilename|endswith:
19 - '.dll'
20 - '.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
Compromised NPM package distributes cryptominer, TR delivers SqurrielWaffle, and Gamarue rises up the threat ranks.
Read More
Related rules
- Exploit for CVE-2015-1641
- Files With System DLL Name In Unsuspected Locations
- Files With System Process Name In Unsuspected Locations
- Flash Player Update from Suspicious Location
- Greenbug Espionage Group Indicators