EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious File Creation In Uncommon AppData Folder

Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Detection Query

selection:
  TargetFilename|startswith: C:\Users\
  TargetFilename|contains: \AppData\
  TargetFilename|endswith:
    - .bat
    - .cmd
    - .cpl
    - .dll
    - .exe
    - .hta
    - .iso
    - .lnk
    - .msi
    - .ps1
    - .psm1
    - .scr
    - .vbe
    - .vbs
filter_main:
  TargetFilename|startswith: C:\Users\
  TargetFilename|contains:
    - \AppData\Local\
    - \AppData\LocalLow\
    - \AppData\Roaming\
condition: selection and not filter_main

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-05

Data Sources

windowsFile Events

Platforms

windows

References

Tags

attack.defense-evasionattack.execution
Raw Content
title: Suspicious File Creation In Uncommon AppData Folder
id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
status: test
description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-23
tags:
    - attack.defense-evasion
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\'
        TargetFilename|endswith:
            # Add more as needed
            - '.bat'
            - '.cmd'
            - '.cpl'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.iso'
            - '.lnk'
            - '.msi'
            - '.ps1'
            - '.psm1'
            - '.scr'
            - '.vbe'
            - '.vbs'
    filter_main:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains:
            - '\AppData\Local\'
            - '\AppData\LocalLow\'
            - '\AppData\Roaming\'
    condition: selection and not filter_main
falsepositives:
    - Unlikely
level: high