← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious File Creation In Uncommon AppData Folder

Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Quality
98
FP risk
Forks
0
Views
0
Rule sourcerules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml
title: Suspicious File Creation In Uncommon AppData Folder
id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
status: test
description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-23
tags:
    - attack.defense-evasion
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\'
        TargetFilename|endswith:
            # Add more as needed
            - '.bat'
            - '.cmd'
            - '.cpl'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.iso'
            - '.lnk'
            - '.msi'
            - '.ps1'
            - '.psm1'
            - '.scr'
            - '.vbe'
            - '.vbs'
    filter_main:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains:
            - '\AppData\Local\'
            - '\AppData\LocalLow\'
            - '\AppData\Roaming\'
    condition: selection and not filter_main
falsepositives:
    - Unlikely
level: high