Detectionhightest
Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Aug 05Updated Thu Feb 23d7b50671-d1ad-4871-aa60-5aa5b331fe04windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\'
TargetFilename|endswith:
# Add more as needed
- '.bat'
- '.cmd'
- '.cpl'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.lnk'
- '.msi'
- '.ps1'
- '.psm1'
- '.scr'
- '.vbe'
- '.vbs'
filter_main:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains:
- '\AppData\Local\'
- '\AppData\LocalLow\'
- '\AppData\Roaming\'
condition: selection and not filter_mainFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
1
Resolving title…
Internal ResearchMITRE ATT&CK
Rule Metadata
Rule ID
d7b50671-d1ad-4871-aa60-5aa5b331fe04
Status
test
Level
high
Type
Detection
Created
Fri Aug 05
Modified
Thu Feb 23
Path
rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml
Raw Tags
attack.defense-evasionattack.execution