← Back to Explore
sigmahighHunting
Suspicious Binaries and Scripts in Public Folder
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
Detection Query
selection:
TargetFilename|contains: :\Users\Public\
TargetFilename|endswith:
- .bat
- .dll
- .exe
- .hta
- .js
- .ps1
- .vbe
- .vbs
condition: selection
Author
The DFIR Report
Created
2025-01-23
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.executionattack.t1204
Raw Content
title: Suspicious Binaries and Scripts in Public Folder
id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
status: experimental
description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
references:
- https://intel.thedfirreport.com/events/view/30032 # Private Report
- https://intel.thedfirreport.com/eventReports/view/70 # Private Report
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
author: 'The DFIR Report'
date: 2025-01-23
tags:
- attack.execution
- attack.t1204
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: ':\Users\Public\'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Administrators deploying legitimate binaries to public folders.
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml