Adversaries may drop malicious publisher attachment files in suspicious locations to evade detection and persist within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics early.
Detection Rule
title: Publisher Attachment File Dropped In Suspicious Location
id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
status: test
description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
references:
- https://twitter.com/EmericNasi/status/1623224526220804098
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.defense-evasion
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
- 'C:\Temp\'
TargetFilename|endswith: '.pub'
condition: selection
falsepositives:
- Legitimate usage of ".pub" files from those locations
level: medium
imFileEvent
| where (TargetFileName contains "\\AppData\\Local\\Temp\\" or TargetFileName contains "\\Users\\Public\\" or TargetFileName contains "\\Windows\\Temp\\" or TargetFileName contains "C:\\Temp\\") and TargetFileName endswith ".pub"Scenario: A system administrator is using PowerShell to deploy a script that creates a temporary file in the C:\Windows\Temp directory for a legitimate software update.
Filter/Exclusion: Exclude files created by processes with the PowerShell.exe executable or those with a file extension like .ps1 or .tmp.
Scenario: A scheduled task runs a backup utility that generates a temporary file in the C:\Windows\Temp directory during the backup process.
Filter/Exclusion: Exclude files created by processes associated with backup tools like Veeam, Acronis, or Veritas NetBackup.
Scenario: A software installation (e.g., Microsoft Office or Adobe Reader) creates a temporary file in the C:\Windows\Temp directory during the setup process.
Filter/Exclusion: Exclude files created by known installers such as msiexec.exe, setup.exe, or AdobeInstaller.exe.
Scenario: A system update (e.g., Windows Update) places a temporary file in the C:\Windows\Temp directory while applying patches.
Filter/Exclusion: Exclude files created by wuauclt.exe or svchost.exe during system update processes.
Scenario: A third-party application (e.g., 7-Zip or WinRAR) creates a temporary file in the C:\Windows\Temp directory while extracting archives.
Filter/Exclusion: Exclude files created by processes associated with 7-Zip.exe, WinRAR.exe, or unzip.exe.