Arbitrary File Download Via MSPUB.EXE
Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
Sigma rule (View on GitHub)
1title: Arbitrary File Download Via MSPUB.EXE
2id: 3b3c7f55-f771-4dd6-8a6e-08d057a17caf
3status: test
4description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
5references:
6 - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-19
9modified: 2023-02-08
10tags:
11 - attack.defense-evasion
12 - attack.execution
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\MSPUB.exe'
20 - OriginalFileName: 'MSPUB.exe'
21 selection_cli:
22 CommandLine|contains:
23 - 'ftp://'
24 - 'http://'
25 - 'https://'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Created Files by Microsoft Sync Center
- Execute MSDT Via Answer File