← Back to SOC feed Coverage →

New RUN Key Pointing to Suspicious Folder

sigma HIGH SigmaHQ
T1547.001
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-31T23:00:00Z · Confidence: low

Hunt Hypothesis

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Detection Rule

Sigma (Original)

title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2018-08-25
modified: 2025-10-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_target:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    selection_suspicious_paths_1:
        Details|contains:
            - ':\Perflogs'
            - :\ProgramData'
            - ':\Windows\Temp'
            - ':\Temp'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming'
            - ':\$Recycle.bin'
            - ':\Users\Default'
            - ':\Users\public'
            - '%temp%'
            - '%tmp%'
            - '%Public%'
            - '%AppData%'
    selection_suspicious_paths_user_1:
        Details|contains: ':\Users\'
    selection_suspicious_paths_user_2:
        Details|contains:
            - '\Favorites'
            - '\Favourites'
            - '\Contacts'
            - '\Music'
            - '\Pictures'
            - '\Documents'
            - '\Photos'
    filter_main_windows_update:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'
        Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
        Details|contains|all:
            - 'rundll32.exe '
            - 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
        Details|contains:
            - '\AppData\Local\Temp\'
            - 'C:\Windows\Temp\'
    filter_optional_spotify:
        Image|endswith:
            - 'C:\Program Files\Spotify\Spotify.exe'
            - 'C:\Program Files (x86)\Spotify\Spotify.exe'
            - '\AppData\Roaming\Spotify\Spotify.exe'
        TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify'
        Details|endswith: 'Spotify.exe --autostart --minimized'
    condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Software using weird folders for updates
level: high

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and ((RegistryValueData contains ":\\Perflogs" or RegistryValueData contains ":\\ProgramData'" or RegistryValueData contains ":\\Windows\\Temp" or RegistryValueData contains ":\\Temp" or RegistryValueData contains "\\AppData\\Local\\Temp" or RegistryValueData contains "\\AppData\\Roaming" or RegistryValueData contains ":\\$Recycle.bin" or RegistryValueData contains ":\\Users\\Default" or RegistryValueData contains ":\\Users\\public" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "%Public%" or RegistryValueData contains "%AppData%") or (RegistryValueData contains ":\\Users\\" and (RegistryValueData contains "\\Favorites" or RegistryValueData contains "\\Favourites" or RegistryValueData contains "\\Contacts" or RegistryValueData contains "\\Music" or RegistryValueData contains "\\Pictures" or RegistryValueData contains "\\Documents" or RegistryValueData contains "\\Photos"))) and (not((RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce*" and ActingProcessName startswith "C:\\Windows\\SoftwareDistribution\\Download\\" and (RegistryValueData contains "rundll32.exe " and RegistryValueData contains "C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32") and (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Windows\\Temp\\")))) and (not(((ActingProcessName endswith "C:\\Program Files\\Spotify\\Spotify.exe" or ActingProcessName endswith "C:\\Program Files (x86)\\Spotify\\Spotify.exe" or ActingProcessName endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe") and RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify" and RegistryValueData endswith "Spotify.exe --autostart --minimized")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml