Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowexperimental

Suspicious Deno File Written from Remote Source

Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Josh Nickels, Michael TaggartCreated Thu May 226c0ce3b6-85e2-49d4-9c3f-6e008ce9796ewindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection_path:
        TargetFilename|contains:
            - '\deno\gen\'
            - '\deno\remote\https\'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\'
    condition: selection_path
False Positives

Legitimate usage of deno to request a file or bring a DLL to a host

References
1
Resolving title…
taggart-tech.com
MITRE ATT&CK
Rule Metadata
Rule ID
6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
Status
experimental
Level
low
Type
Detection
Created
Thu May 22
Author
Josh Nickels, Michael Taggart
Path
rules/windows/file/file_event/file_event_win_creation_deno.yml
Raw Tags
attack.executionattack.t1204attack.t1059.007attack.command-and-controlattack.t1105
View on GitHub