Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowtest

Potential Suspicious Execution From GUID Like Folder Names

Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Sep 01Updated Thu Mar 0290b63c33-2b97-4631-a011-ceb0f47b77c3windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic6 selectors
detection:
    # Uncomment this section and remove the filter if you want the rule to be more specific to processes
    # selection_img:
    #     Image|endswith:
    #         - '\rundll32.exe'
    selection_folder:
        CommandLine|contains:
            # Add more suspicious or unexpected paths
            - '\AppData\Roaming\'
            - '\AppData\Local\Temp\' # This could generate some FP with some installers creating folders with GUID
    selection_guid:
        CommandLine|contains|all:
            - '\{'
            - '}\'
    filter_main_image_guid:
        Image|contains|all:
            - '\{'
            - '}\'
    filter_main_null:
        Image: null
    filter_main_driver_inst:  # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}"
        Image: 'C:\Windows\System32\drvinst.exe'
    filter_main_msiexec:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    condition: all of selection_* and not 1 of filter*
False Positives

Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly

References
1
Resolving title…
twitter.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
90b63c33-2b97-4631-a011-ceb0f47b77c3
Status
test
Level
low
Type
Threat Hunt
Created
Thu Sep 01
Modified
Thu Mar 02
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml
Raw Tags
attack.defense-evasionattack.t1027detection.threat-hunting
View on GitHub