Adversaries may use a fake Recycle.Bin folder as a staging ground to exfiltrate data or deploy malware by creating suspicious files within it. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware activity and prevent data compromise.
Detection Rule
title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
related:
- id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
type: derived
status: test
description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
references:
- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-11
tags:
- attack.persistence
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection:
- Image|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
- TargetFilename|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml
imFileEvent
| where (TargetFilePath contains "RECYCLERS.BIN\\" or TargetFilePath contains "RECYCLER.BIN\\") or (TargetFileName contains "RECYCLERS.BIN\\" or TargetFileName contains "RECYCLER.BIN\\")Scenario: System Restore Point Creation
Description: A legitimate system restore point is created using the vssadmin tool, which may generate files in a directory resembling a fake recycle bin.
Filter/Exclusion: Exclude events where the file path contains SystemVolumeInformation or where the process is vssadmin.exe.
Scenario: Scheduled Backup Job
Description: A scheduled backup job (e.g., using wbadmin or third-party tools like Veeam) writes files to a temporary directory that mimics a recycle bin structure.
Filter/Exclusion: Exclude events where the process is wbadmin.exe, vssadmin.exe, or any known backup tool process name.
Scenario: Admin Task for File Cleanup
Description: An administrator manually or via script (e.g., PowerShell or cleanmgr.exe) performs a disk cleanup that temporarily creates files in a directory resembling a fake recycle bin.
Filter/Exclusion: Exclude events where the process is cleanmgr.exe, PowerShell.exe, or where the user is a domain admin with elevated privileges.
Scenario: Temporary File Storage for Application Use
Description: A legitimate application (e.g., 7-Zip, WinRAR, or rsync) stores temporary files in a directory that resembles a fake recycle bin during extraction or synchronization.
Filter/Exclusion: Exclude events where the file path contains known temporary directories (e.g., Temp, Temp\, or C:\Users\*\AppData\Local\Temp) or where the process is a known archiving tool.
Scenario: User-Initiated File Move to Recycle Bin
Description: A user moves files to the actual Recycle Bin (C:\$Recycle.Bin), which may be mistaken for a fake recycle bin folder by