detection.wiki

Detection rules › Sigma

New RUN Key Pointing to Suspicious Folder

Severity
high
Author
Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection_target

or:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run'
TargetObject|contains: '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'

Stage 2: selection_suspicious_paths_1

or:
Details|contains: '%AppData%'
Details|contains: '%Public%'
Details|contains: '%temp%'
Details|contains: '%tmp%'
Details|contains: ':\$Recycle.bin'
Details|contains: ':\Perflogs'
Details|contains: ':\ProgramData'''
Details|contains: ':\Temp'
Details|contains: ':\Users\Default'
Details|contains: ':\Users\public'
Details|contains: ':\Windows\Temp'
Details|contains: '\AppData\Local\Temp'
Details|contains: '\AppData\Roaming'

Stage 3: all of selection_suspicious_paths_user_1

Details|contains: ':\Users\'

Stage 4: all of selection_suspicious_paths_user_2

or:
Details|contains: '\Contacts'
Details|contains: '\Documents'
Details|contains: '\Favorites'
Details|contains: '\Favourites'
Details|contains: '\Music'
Details|contains: '\Photos'
Details|contains: '\Pictures'

Stage 5: not 1 of filter_main_windows_update

or:
Details|contains: 'C:\Windows\Temp\'
Details|contains: '\AppData\Local\Temp\'
Details|contains: 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
Details|contains: 'rundll32.exe '
Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'

Stage 6: not 1 of filter_optional_spotify

or:
Image|endswith: 'C:\Program Files (x86)\Spotify\Spotify.exe'
Image|endswith: 'C:\Program Files\Spotify\Spotify.exe'
Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe'
Details|endswith: 'Spotify.exe --autostart --minimized'
TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailsends_with
  • Spotify.exe --autostart --minimized
Detailsmatch
  • %AppData% corpus 2 (sigma 2)
  • %Public%
  • %temp% corpus 3 (sigma 3)
  • %tmp% corpus 4 (sigma 4)
  • :\$Recycle.bin
  • :\Perflogs
  • :\ProgramData'
  • :\Temp
  • :\Users\ corpus 4 (sigma 4)
  • :\Users\Default
  • :\Users\public
  • :\Windows\Temp
  • C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32
  • C:\Windows\Temp\
  • \AppData\Local\Temp
  • \AppData\Local\Temp\ corpus 9 (sigma 9)
  • \AppData\Roaming
  • \Contacts
  • \Documents
  • \Favorites
  • \Favourites
  • \Music
  • \Photos
  • \Pictures
  • rundll32.exe
Imageends_with
  • C:\Program Files (x86)\Spotify\Spotify.exe
  • C:\Program Files\Spotify\Spotify.exe
  • \AppData\Roaming\Spotify\Spotify.exe corpus 2 (sigma 2)
Imagestarts_with
  • C:\Windows\SoftwareDistribution\Download\
TargetObjectends_with
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify
TargetObjectmatch
  • \Microsoft\Windows\CurrentVersion\RunOnce\
  • \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run corpus 3 (sigma 3)
  • \Software\Microsoft\Windows\CurrentVersion\Run corpus 3 (sigma 3)
  • \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run corpus 3 (sigma 3)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.