Detectionhightest

PCRE.NET Package Temp Files

Detects processes creating temp files related to PCRE.NET package

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Thu Oct 29Updated Sun Oct 096e90ae7a-7cd3-473f-a035-4ebb72d961dawindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

6e90ae7a-7cd3-473f-a035-4ebb72d961da

Status

test

Level

high

Type

Detection

Created

Thu Oct 29

Modified

Sun Oct 09

Author

Path

rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml

Raw Tags

attack.executionattack.t1059