Detectionmediumtest

Suspicious Files in Default GPO Folder

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

elhoimCreated Thu Apr 285f87308a-0a5b-4623-ae15-d8fa1809bc60windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains: '\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

redcanary.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1036.005 · Match Legitimate Name or Location

Rule Metadata

Rule ID

5f87308a-0a5b-4623-ae15-d8fa1809bc60

Status

test

Level

medium

Type

Detection

Created

Thu Apr 28

Author

elhoim

Path

rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml

Raw Tags

attack.t1036.005attack.defense-evasion

View on GitHub