Suspicious Binaries and Scripts in Public Folder

Title: Suspicious Binaries and Scripts in Public Folder
Status: experimental
Description:Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
References:
  -https://intel.thedfirreport.com/events/view/30032
  -https://intel.thedfirreport.com/eventReports/view/70
  -https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
Author: The DFIR Report
Date: 2025-01-23
modified:None
Tags:

• -'attack.execution'
• -'attack.t1204'

Logsource:

• category: file_event
• product: windows

Detection:
  selection:
    TargetFilename|contains: ':\Users\Public\'
    TargetFilename|endswith:
      -'.bat'
      -'.dll'
      -'.exe'
      -'.hta'
      -'.js'
      -'.ps1'
      -'.vbe'
      -'.vbs'

  condition:selection
Falsepositives:
  -Administrators deploying legitimate binaries to public folders.
Level: high