Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

New RUN Key Pointing to Suspicious Folder

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)Created Sat Aug 25Updated Mon Oct 0602ee49e2-e294-4d0f-9278-f5b3212fc588windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic6 selectors
detection:
    selection_target:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    selection_suspicious_paths_1:
        Details|contains:
            - ':\Perflogs'
            - :\ProgramData'
            - ':\Windows\Temp'
            - ':\Temp'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming'
            - ':\$Recycle.bin'
            - ':\Users\Default'
            - ':\Users\public'
            - '%temp%'
            - '%tmp%'
            - '%Public%'
            - '%AppData%'
    selection_suspicious_paths_user_1:
        Details|contains: ':\Users\'
    selection_suspicious_paths_user_2:
        Details|contains:
            - '\Favorites'
            - '\Favourites'
            - '\Contacts'
            - '\Music'
            - '\Pictures'
            - '\Documents'
            - '\Photos'
    filter_main_windows_update:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'
        Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
        Details|contains|all:
            - 'rundll32.exe '
            - 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
        Details|contains:
            - '\AppData\Local\Temp\'
            - 'C:\Windows\Temp\'
    filter_optional_spotify:
        Image|endswith:
            - 'C:\Program Files\Spotify\Spotify.exe'
            - 'C:\Program Files (x86)\Spotify\Spotify.exe'
            - '\AppData\Roaming\Spotify\Spotify.exe'
        TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify'
        Details|endswith: 'Spotify.exe --autostart --minimized'
    condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Software using weird folders for updates

References
1
Resolving title…
fireeye.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
02ee49e2-e294-4d0f-9278-f5b3212fc588
Status
experimental
Level
high
Type
Detection
Created
Sat Aug 25
Modified
Mon Oct 06
Author
Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
Path
rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
View on GitHub