Techniques
Sample rules
Publisher Attachment File Dropped In Suspicious Location
- source: sigma
- technicques:
Description
Detects creation of files with the “.pub” extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
Detection logic
condition: selection
selection:
TargetFilename|contains:
- \AppData\Local\Temp\
- \Users\Public\
- \Windows\Temp\
- C:\Temp\
TargetFilename|endswith: .pub