Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious File Creation Activity From Fake Recycle.Bin Folder

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Wed Jul 12Updated Mon Dec 11cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bcawindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        - Image|contains:
              # e.g. C:\$RECYCLER.BIN
              - 'RECYCLERS.BIN\'
              - 'RECYCLER.BIN\'
        - TargetFilename|contains:
              # e.g. C:\$RECYCLER.BIN
              - 'RECYCLERS.BIN\'
              - 'RECYCLER.BIN\'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
mandiant.com
2
Resolving title…
unit42.paloaltonetworks.com
Testing & Validation

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Suspicious Process Execution From Fake Recycle.Bin Folder

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
Status
test
Level
high
Type
Detection
Created
Wed Jul 12
Modified
Mon Dec 11
Author
X__Junior (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml
Raw Tags
attack.persistenceattack.defense-evasion
View on GitHub