New RUN Key Pointing to Suspicious Folder

 1title: New RUN Key Pointing to Suspicious Folder
 2id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
 3status: experimental
 4description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 7author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
 8date: 2018-08-25
 9modified: 2024-07-16
10tags:
11    - attack.persistence
12    - attack.t1547.001
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_target:
18        TargetObject|contains:
19            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
20            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
21    selection_details:
22        - Details|contains:
23              - ':\$Recycle.bin\'
24              - ':\Temp\'
25              - ':\Users\Default\'
26              - ':\Users\Desktop\'
27              - ':\Users\Public\'
28              - ':\Windows\Temp\'
29              - '\AppData\Local\Temp\'
30              - '%temp%\'
31              - '%tmp%\'
32        - Details|startswith:
33              - '%Public%\'
34              - 'wscript'
35              - 'cscript'
36    filter_main_windows_update:
37        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'
38        Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
39        Details|contains|all:
40            - 'rundll32.exe '
41            - 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
42        Details|contains:
43            - '\AppData\Local\Temp\'
44            - 'C:\Windows\Temp\'
45    condition: all of selection_* and not 1 of filter_main_*
46falsepositives:
47    - Software using weird folders for updates
48level: high