sigmamediumHunting

Publisher Attachment File Dropped In Suspicious Location

Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents

Detection Query

selection:
  TargetFilename|contains:
    - \AppData\Local\Temp\
    - \Users\Public\
    - \Windows\Temp\
    - C:\Temp\
  TargetFilename|endswith: .pub
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-02-08

Data Sources

windowsFile Events

Platforms

windows

References

https://twitter.com/EmericNasi/status/1623224526220804098

Tags

attack.defense-evasion

Raw Content

title: Publisher Attachment File Dropped In Suspicious Location
id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
status: test
description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
references:
    - https://twitter.com/EmericNasi/status/1623224526220804098
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.defense-evasion
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Local\Temp\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - 'C:\Temp\'
        TargetFilename|endswith: '.pub'
    condition: selection
falsepositives:
    - Legitimate usage of ".pub" files from those locations
level: medium