Detection rules › Sigma
Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
or:
TargetFilename|endswith: .bat
TargetFilename|endswith: .cmd
TargetFilename|endswith: .cpl
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
TargetFilename|endswith: .hta
TargetFilename|endswith: .iso
TargetFilename|endswith: .lnk
TargetFilename|endswith: .msi
TargetFilename|endswith: .ps1
TargetFilename|endswith: .psm1
TargetFilename|endswith: .scr
TargetFilename|endswith: .vbe
TargetFilename|endswith: .vbs
TargetFilename|contains: '\AppData\'
TargetFilename|startswith: 'C:\Users\'
Stage 2: not filter_main
or:
TargetFilename|contains: '\AppData\LocalLow\'
TargetFilename|contains: '\AppData\Local\'
TargetFilename|contains: '\AppData\Roaming\'
TargetFilename|startswith: 'C:\Users\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | ends_with |
|
TargetFilename | match |
|
TargetFilename | starts_with |
|