Suspicious Execution From Public Folder

Rule Info

Name
Suspicious Execution From Public Folder
Author
Swachchhanda Shrawan Poudel
Description
Detects execution of suspicious files (like .bat, .exe, .ps1, etc.) from the Public folder, which may indicate execution of dropped malicious payloads. This technique is commonly used by ransomware actors, including BlackBasta, to execute their malware from publicly accessible locations. Legitimate software rarely installs executables in Public folders, making this behavior suspicious.
Date
2025-03-18 00:00:00
Modified
None
Id
2db12787-11fe-406e-ba8e-8d4e762106a8
Tags
attack.execution attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History