Update sysmon_susp_reg_persist_explorer_run.yml

2020-11-28 13:52:36 -03:00
parent 986800056c
commit f504ccc33f
1 changed files with 6 additions and 4 deletions
@@ -2,7 +2,7 @@ title: Registry Persistence via Explorer Run Key
 id: b7916c2a-fa2f-4795-9477-32b731f70f11
 status: experimental
 description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
-author: Florian Roth
+author: Florian Roth, oscd.community
 date: 2018/07/18
 modified: 2020/09/06
 references:
@@ -13,15 +13,17 @@ logsource:
 detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
-        Details|startswith: 
+    selection2:
+        - Details|startswith: 
            - 'C:\Windows\Temp\'
            - 'C:\ProgramData\'
-            - '*\AppData\'
            - 'C:\$Recycle.bin\'
            - 'C:\Temp\'
            - 'C:\Users\Public\'
            - 'C:\Users\Default\'
-    condition: selection
+        - Details|contains: 
+            - '\AppData\'
+    condition: selection and selection2
 tags:
    - attack.persistence
    - attack.t1060 # an old one