Adversaries may create malicious files in less common AppData subdirectories to evade standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or data exfiltration activities that bypass traditional file monitoring.
Detection Rule
title: Suspicious File Creation In Uncommon AppData Folder
id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
status: test
description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-23
tags:
- attack.defense-evasion
- attack.execution
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\'
TargetFilename|endswith:
# Add more as needed
- '.bat'
- '.cmd'
- '.cpl'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.lnk'
- '.msi'
- '.ps1'
- '.psm1'
- '.scr'
- '.vbe'
- '.vbs'
filter_main:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains:
- '\AppData\Local\'
- '\AppData\LocalLow\'
- '\AppData\Roaming\'
condition: selection and not filter_main
falsepositives:
- Unlikely
level: high
imFileEvent
| where (TargetFileName startswith "C:\\Users\\" and TargetFileName contains "\\AppData\\" and (TargetFileName endswith ".bat" or TargetFileName endswith ".cmd" or TargetFileName endswith ".cpl" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".iso" or TargetFileName endswith ".lnk" or TargetFileName endswith ".msi" or TargetFileName endswith ".ps1" or TargetFileName endswith ".psm1" or TargetFileName endswith ".scr" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs")) and (not((TargetFileName startswith "C:\\Users\\" and (TargetFileName contains "\\AppData\\Local\\" or TargetFileName contains "\\AppData\\LocalLow\\" or TargetFileName contains "\\AppData\\Roaming\\"))))Scenario: User creates a legitimate configuration file for a third-party application
Example: A user installs a software tool like 7-Zip or WinRAR and creates a configuration file in the AppData folder.
Filter/Exclusion: Exclude files with known benign extensions (e.g., .ini, .cfg, .json) or files created by specific applications using their process names or file paths.
Scenario: Scheduled job or system maintenance task writes to AppData
Example: A Windows Update or Microsoft Intune task creates temporary files in the AppData folder during system maintenance.
Filter/Exclusion: Exclude files created by system processes or services using the ProcessName or ImageLoaded fields, or filter by known system tasks using EventID or CommandLine.
Scenario: User downloads and extracts a legitimate archive to AppData
Example: A user extracts a ZIP file containing application data (e.g., Notepad++ or VS Code) into the AppData folder.
Filter/Exclusion: Exclude files created by known extraction tools (e.g., 7-Zip, WinRAR) or files with common archive extensions (e.g., .zip, .tar, .rar).
Scenario: Admin performs a system cleanup or file migration
Example: An administrator moves files from one location to the AppData folder as part of a cleanup or migration task.
Filter/Exclusion: Exclude files created by administrative tasks using the User field (e.g., NT AUTHORITY\SYSTEM) or filter by known administrative tools (e.g., PowerShell, Robocopy).
Scenario: Application-specific cache or log files are stored in AppData
Example: A legitimate application like Google Chrome or Adobe Acrobat stores