Adversaries may leverage public folders to stage malicious binaries or scripts, exploiting shared access to execute or exfiltrate data undetected. Proactively hunting for suspicious file creations in public folders helps identify potential command and control channels or initial compromise vectors in Azure Sentinel.
Detection Rule
title: Suspicious Binaries and Scripts in Public Folder
id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
status: experimental
description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
references:
- https://intel.thedfirreport.com/events/view/30032 # Private Report
- https://intel.thedfirreport.com/eventReports/view/70 # Private Report
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
author: 'The DFIR Report'
date: 2025-01-23
tags:
- attack.execution
- attack.t1204
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: ':\Users\Public\'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Administrators deploying legitimate binaries to public folders.
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml
imFileEvent
| where TargetFileName contains ":\\Users\\Public\\" and (TargetFileName endswith ".bat" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".js" or TargetFileName endswith ".ps1" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs")Scenario: A system administrator uploads a legitimate script (e.g., setup.sh) to the public folder as part of a deployment process.
Filter/Exclusion: Exclude files with known safe extensions like .sh, .bat, .ps1, and .cmd if they are associated with approved deployment tools (e.g., Ansible, Jenkins, or Puppet).
Scenario: A scheduled job runs a backup script that creates temporary files in the public folder (e.g., backup_20240505.tar.gz).
Filter/Exclusion: Exclude files with .tar, .gz, .zip, or .rar extensions if they are generated by known backup tools (e.g., Veeam, Acronis, or rsync).
Scenario: A developer uses a code linter or formatter tool (e.g., eslint, black, or prettier) that generates temporary files in the public folder.
Filter/Exclusion: Exclude files with extensions like .tmp, .log, or .bak if they are created by known development tools or CI/CD pipelines (e.g., GitHub Actions, GitLab CI).
Scenario: An IT team uses a configuration management tool (e.g., Chef, SaltStack, or Puppet) to deploy configuration files to the public folder.
Filter/Exclusion: Exclude files with extensions like .conf, .yml, .json, or .xml if they are associated with configuration management systems or infrastructure-as-code tools.
Scenario: A user manually copies a legitimate binary (e.g., nginx, apache, or postgresql) to the public folder for testing or documentation purposes.
Filter/Exclusion: Exclude files with common binary extensions like .exe, .dll, .so, or .bin if they are known system services or software