Suspicious File Creation Activity From Fake Recycle.Bin Folder
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
Sigma rule (View on GitHub)
1title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
2id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
3related:
4 - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
5 type: derived
6status: experimental
7description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
8references:
9 - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
10 - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
11author: X__Junior (Nextron Systems)
12date: 2023/07/12
13modified: 2023/11/06
14tags:
15 - attack.persistence
16 - attack.defense_evasion
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 - Image|contains:
23 # e.g. C:\$RECYCLER.BIN
24 - 'RECYCLERS.BIN\'
25 - 'RECYCLER.BIN\'
26 - 'RECYCLE.BIN\'
27 - TargetFilename|contains:
28 # e.g. C:\$RECYCLER.BIN
29 - 'RECYCLERS.BIN\'
30 - 'RECYCLER.BIN\'
31 - 'RECYCLE.BIN\'
32 condition: selection
33falsepositives:
34 - Unknown
35level: high
References
-
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and foun...
Read More -
A Cloaked Ursa phishing campaign targeted Kyiv embassy-based government officials. This is a new tactic targeting individuals instead of organizations.
Read More
Related rules
- Suspicious Process Execution From Fake Recycle.Bin Folder
- Potential Persistence Via Security Descriptors - ScriptBlock
- Potential Suspicious Activity Using SeCEdit
- Suspicious Execution via macOS Script Editor
- Triple Cross eBPF Rootkit Default Persistence