Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
Sigma rule (View on GitHub)
1title: Suspicious Execution From Outlook Temporary Folder
2id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
3status: test
4description: Detects a suspicious program execution in Outlook temp folder
5author: Florian Roth (Nextron Systems)
6references:
7 - Internal Research
8date: 2019/10/01
9modified: 2022/10/09
10tags:
11 - attack.initial_access
12 - attack.t1566.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|contains: '\Temporary Internet Files\Content.Outlook\'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
Related rules
- Office Macro File Creation From Suspicious Process
- Suspicious Microsoft OneNote Child Process
- ISO Image Mounted
- Potential Initial Access via DLL Search Order Hijacking
- Arbitrary Shell Command Execution Via Settingcontent-Ms