Suspicious Binaries and Scripts in Public Folder
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
Sigma rule (View on GitHub)
1title: Suspicious Binaries and Scripts in Public Folder
2id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
3status: experimental
4description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
5references:
6 - https://intel.thedfirreport.com/events/view/30032 # Private Report
7 - https://intel.thedfirreport.com/eventReports/view/70 # Private Report
8 - https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
9author: 'The DFIR Report'
10date: 2025-01-23
11tags:
12 - attack.execution
13 - attack.t1204
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|contains: ':\Users\Public\'
20 TargetFilename|endswith:
21 - '.bat'
22 - '.dll'
23 - '.exe'
24 - '.hta'
25 - '.js'
26 - '.ps1'
27 - '.vbe'
28 - '.vbs'
29 condition: selection
30falsepositives:
31 - Administrators deploying legitimate binaries to public folders.
32level: high
References
-
Key Takeaways This intrusion began with the download and execution of a Cobalt Strike beacon that impersonated a Windows Media Configuration Utility. The threat actor used Rclone to exfiltrate data…
Read More
Related rules
- Antivirus Hacktool Detection
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- DarkSide Ransomware Pattern
- Payload Decoded and Decrypted via Built-in Utilities
- Potential Snatch Ransomware Activity