Publisher Attachment File Dropped In Suspicious Location
Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
Sigma rule (View on GitHub)
1title: Publisher Attachment File Dropped In Suspicious Location
2id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
3status: test
4description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
5references:
6 - https://twitter.com/EmericNasi/status/1623224526220804098
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/02/08
9tags:
10 - attack.defense_evasion
11logsource:
12 category: file_event
13 product: windows
14detection:
15 selection:
16 TargetFilename|contains:
17 - '\AppData\Local\Temp\'
18 - '\Users\Public\'
19 - '\Windows\Temp\'
20 - 'C:\Temp\'
21 TargetFilename|endswith: '.pub'
22 condition: selection
23falsepositives:
24 - Legitimate usage of ".pub" files from those locations
25level: medium
References
Related rules
- Arbitrary File Download Via MSPUB.EXE
- DLL Loaded From Suspicious Location Via Cmspt.EXE
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Directory Removal Via Rmdir
- EventLog EVTX File Deleted