Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Sigma rule (View on GitHub)
1title: Suspicious Process Execution From Fake Recycle.Bin Folder
2id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
3related:
4 - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
5 type: derived
6status: experimental
7description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
8references:
9 - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
10 - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
11author: X__Junior (Nextron Systems)
12date: 2023-07-12
13modified: 2023-12-11
14tags:
15 - attack.persistence
16 - attack.defense-evasion
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|contains:
23 # e.g. C:\$RECYCLER.BIN
24 - 'RECYCLERS.BIN\'
25 - 'RECYCLER.BIN\'
26 condition: selection
27falsepositives:
28 - Unlikely
29level: high
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow