New RUN Key Pointing to Suspicious Folder

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Sigma rule (View on GitHub)

 1title: New RUN Key Pointing to Suspicious Folder
 2id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
 3status: experimental
 4description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 7author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
 8date: 2018/08/25
 9modified: 2023/12/11
10tags:
11    - attack.persistence
12    - attack.t1547.001
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_target:
18        TargetObject|contains:
19            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
20            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
21    selection_details:
22        - Details|contains:
23              - ':\$Recycle.bin\'
24              - ':\Temp\'
25              - ':\Users\Default\'
26              - ':\Users\Desktop\'
27              - ':\Users\Public\'
28              - ':\Windows\Temp\'
29              - '\AppData\Local\Temp\'
30              - '%temp%\'
31              - '%tmp%\'
32        - Details|startswith:
33              - '%Public%\'
34              - 'wscript'
35              - 'cscript'
36    condition: all of selection_*
37fields:
38    - Image
39falsepositives:
40    - Software using weird folders for updates
41level: high

References

Related rules

to-top