New RUN Key Pointing to Suspicious Folder
Detects suspicious new RUN key element pointing to an executable in a suspicious folder
Sigma rule (View on GitHub)
1title: New RUN Key Pointing to Suspicious Folder
2id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
3status: experimental
4description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
5references:
6 - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
7author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
8date: 2018/08/25
9modified: 2024/03/18
10tags:
11 - attack.persistence
12 - attack.t1547.001
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection_target:
18 TargetObject|contains:
19 - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
20 - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
21 selection_details:
22 - Details|contains:
23 - ':\$Recycle.bin\'
24 - ':\Temp\'
25 - ':\Users\Default\'
26 - ':\Users\Desktop\'
27 - ':\Users\Public\'
28 - ':\Windows\Temp\'
29 - '\AppData\Local\Temp\'
30 - '%temp%\'
31 - '%tmp%\'
32 - Details|startswith:
33 - '%Public%\'
34 - 'wscript'
35 - 'cscript'
36 filter_main_windows_update:
37 Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
38 Details|contains|all:
39 - 'rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
40 - 'C:\Windows\Temp\'
41 condition: all of selection_* and not 1 of filter_main_*
42falsepositives:
43 - Software using weird folders for updates
44level: high
References
Related rules
- PowerShell Startup Folder Persistence
- Potential KamiKakaBot Activity - Winlogon Shell Persistence
- File Creation In Suspicious Directory By Msdt.EXE
- Potential Startup Shortcut Persistence Via PowerShell.EXE
- Registry Persistence via Explorer Run Key