New RUN Key Pointing to Suspicious Folder
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects suspicious new RUN key element pointing to an executable in a suspicious folder
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Registry value modified" AND (OBJECTNAME contains "\Software\Microsoft\Windows\CurrentVersion\Run,\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run,\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" OR ((OBJECTNAME endswith "\Software\Microsoft\Windows\CurrentVersion" AND OBJECTVALUENAME startswith "Run") OR (OBJECTNAME endswith "\Software\WOW6432Node\Microsoft\Windows\CurrentVersion" AND OBJECTVALUENAME startswith "Run") OR (OBJECTNAME endswith "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" AND OBJECTVALUENAME startswith "Run"))) AND (INFORMATION contains ":\Perflogs,:\ProgramData',:\Windows\Temp,:\Temp,\AppData\Local\Temp,\AppData\Roaming,:\$Recycle.bin,:\Users\Default,:\Users\public,%temp%,%tmp%,%Public%,%AppData%" OR (INFORMATION contains ":\Users" AND INFORMATION contains "\Favorites,\Favourites,\Contacts,\Music,\Pictures,\Documents,\Photos")) AND ((OBJECTNAME notcontains "\Microsoft\Windows\CurrentVersion\RunOnce" AND (OBJECTNAME notendswith "\Microsoft\Windows\CurrentVersion\RunOnce" OR isNotExist(OBJECTVALUENAME))) OR PROCESSNAME notstartswith "C:\Windows\SoftwareDistribution\Download" OR (INFORMATION notcontains "rundll32.exe " OR INFORMATION notcontains "C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32") OR INFORMATION notcontains "\AppData\Local\Temp\,C:\Windows\Temp") select Action1.HOSTNAME,Action1.MESSAGE,Action1.OBJECTNAME,Action1.PROCESSNAME,Action1.PREVVAL,Action1.CHANGES
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
