Suspicious Execution From Public Folder

Rule Info

Name
Suspicious Execution From Public Folder
Author
Swachchhanda Shrawan Poudel
Description
Detects execution of suspicious files (like .bat, .exe, .ps1, etc.) from the Public folder, which may indicate execution of dropped malicious payloads. This technique is commonly used by ransomware actors, including BlackBasta, to execute their malware from publicly accessible locations. Legitimate software rarely installs executables in Public folders, making this behavior suspicious.
Reference
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
Date
2025-03-18 00:00:00
Modified
None
Id
2db12787-11fe-406e-ba8e-8d4e762106a8
Tags
attack.execution attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022