Suspicious Run Key from Download

Feb 1, 2023 · attack.persistence attack.t1547.001 ·

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

Sigma rule (View on GitHub)

 1title: Suspicious Run Key from Download
 2id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
 3status: test
 4description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
 5references:
 6    - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
 7author: Florian Roth (Nextron Systems)
 8date: 2019/10/01
 9modified: 2021/11/27
10tags:
11    - attack.persistence
12    - attack.t1547.001
13logsource:
14    category: registry_event
15    product: windows
16detection:
17    selection:
18        Image|contains:
19            - '\Downloads\'
20            - '\Temporary Internet Files\Content.Outlook\'
21            - '\Local Settings\Temporary Internet Files\'
22        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
23    condition: selection
24falsepositives:
25    - Software installers downloaded and used by users
26level: high

References

Analysis http://aylaspa.com/8yntna/64uc1/ Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More

Suspicious Run Key from Download

Sigma rule (View on GitHub)

References

Analysis http://aylaspa.com/8yntna/64uc1/ Malicious activity - Interactive analysis ANY.RUN

Related rules