Publisher Attachment File Dropped In Suspicious Location

Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents

Sigma rule (View on GitHub)

 1title: Publisher Attachment File Dropped In Suspicious Location
 2id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
 3status: test
 4description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
 5references:
 6    - https://twitter.com/EmericNasi/status/1623224526220804098
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-02-08
 9tags:
10    - attack.defense-evasion
11logsource:
12    category: file_event
13    product: windows
14detection:
15    selection:
16        TargetFilename|contains:
17            - '\AppData\Local\Temp\'
18            - '\Users\Public\'
19            - '\Windows\Temp\'
20            - 'C:\Temp\'
21        TargetFilename|endswith: '.pub'
22    condition: selection
23falsepositives:
24    - Legitimate usage of ".pub" files from those locations
25level: medium

References

Related rules

to-top