← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious File Creation Activity From Fake Recycle.Bin Folder

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Quality
98
FP risk
Forks
0
Views
0
Rule sourcerules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml
title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
related:
    - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
      type: derived
status: test
description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
references:
    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
    - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-11
tags:
    - attack.persistence
    - attack.defense-evasion
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - Image|contains:
              # e.g. C:\$RECYCLER.BIN
              - 'RECYCLERS.BIN\'
              - 'RECYCLER.BIN\'
        - TargetFilename|contains:
              # e.g. C:\$RECYCLER.BIN
              - 'RECYCLERS.BIN\'
              - 'RECYCLER.BIN\'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml