Suspicious File Creation Activity From Fake Recycle.Bin Folder

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Sigma rule (View on GitHub)

 1title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
 2id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
 3related:
 4    - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
 5      type: derived
 6status: experimental
 7description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
 8references:
 9    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
10    - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
11author: X__Junior (Nextron Systems)
12date: 2023/07/12
13modified: 2023/11/06
14tags:
15    - attack.persistence
16    - attack.defense_evasion
17logsource:
18    category: file_event
19    product: windows
20detection:
21    selection:
22        - Image|contains:
23              # e.g. C:\$RECYCLER.BIN
24              - 'RECYCLERS.BIN\'
25              - 'RECYCLER.BIN\'
26              - 'RECYCLE.BIN\'
27        - TargetFilename|contains:
28              # e.g. C:\$RECYCLER.BIN
29              - 'RECYCLERS.BIN\'
30              - 'RECYCLER.BIN\'
31              - 'RECYCLE.BIN\'
32    condition: selection
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top