detection.wiki

Detection rules › Sigma

Suspicious Binaries and Scripts in Public Folder

Severity
high
Author
The DFIR Report
Source
upstream

Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1204 User Execution

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
TargetFilename|endswith: .bat
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
TargetFilename|endswith: .hta
TargetFilename|endswith: .js
TargetFilename|endswith: .ps1
TargetFilename|endswith: .vbe
TargetFilename|endswith: .vbs
TargetFilename|contains: ':\Users\Public\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenameends_with
  • .bat corpus 15 (sigma 15)
  • .dll corpus 21 (sigma 21)
  • .exe corpus 18 (sigma 18)
  • .hta corpus 12 (sigma 12)
  • .js corpus 8 (sigma 8)
  • .ps1 corpus 15 (sigma 15)
  • .vbe corpus 13 (sigma 13)
  • .vbs corpus 16 (sigma 16)
TargetFilenamematch
  • :\Users\Public\ corpus 2 (sigma 2)