detection.wiki

Detection rules › Sigma

Suspicious File Created in Outlook Temporary Directory

Severity
high
Author
Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1566.001 Phishing: Spearphishing Attachment

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: all of selection_extension

or:
TargetFilename|endswith: .cpl
TargetFilename|endswith: .hta
TargetFilename|endswith: .iso
TargetFilename|endswith: .rdp
TargetFilename|endswith: .svg
TargetFilename|endswith: .vba
TargetFilename|endswith: .vbe
TargetFilename|endswith: .vbs

Stage 2: all of selection_location

or:
TargetFilename|contains: '\AppData\Local\Microsoft\Windows\'
TargetFilename|contains: '\Content.Outlook\'
TargetFilename|contains: '\AppData\Local\Microsoft\Olk\Attachments\'
TargetFilename|contains: '\AppData\Local\Packages\Microsoft.Outlook_'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenameends_with
  • .cpl corpus 2 (sigma 2)
  • .hta corpus 12 (sigma 12)
  • .iso corpus 5 (sigma 5)
  • .rdp corpus 2 (sigma 2)
  • .svg corpus 2 (sigma 2)
  • .vba corpus 3 (sigma 3)
  • .vbe corpus 13 (sigma 13)
  • .vbs corpus 16 (sigma 16)
TargetFilenamematch
  • \AppData\Local\Microsoft\Olk\Attachments\
  • \AppData\Local\Microsoft\Windows\
  • \AppData\Local\Packages\Microsoft.Outlook_
  • \Content.Outlook\