New RUN Key Pointing to Suspicious Folder

calendar Mar 26, 2024 · attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Sigma rule (View on GitHub)

 1title: New RUN Key Pointing to Suspicious Folder
 2id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
 3status: experimental
 4description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 7author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
 8date: 2018/08/25
 9modified: 2024/03/18
10tags:
11    - attack.persistence
12    - attack.t1547.001
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_target:
18        TargetObject|contains:
19            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
20            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
21    selection_details:
22        - Details|contains:
23              - ':\$Recycle.bin\'
24              - ':\Temp\'
25              - ':\Users\Default\'
26              - ':\Users\Desktop\'
27              - ':\Users\Public\'
28              - ':\Windows\Temp\'
29              - '\AppData\Local\Temp\'
30              - '%temp%\'
31              - '%tmp%\'
32        - Details|startswith:
33              - '%Public%\'
34              - 'wscript'
35              - 'cscript'
36    filter_main_windows_update:
37        Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
38        Details|contains|all:
39            - 'rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
40            - 'C:\Windows\Temp\'
41    condition: all of selection_* and not 1 of filter_main_*
42falsepositives:
43    - Software using weird folders for updates
44level: high

References

Related rules

to-top