Detectionhighexperimental
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Jul 22fabb0e80-030c-4e3e-a104-d09676991ac3windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection_extension:
TargetFilename|endswith:
- '.cpl'
- '.hta'
- '.iso'
- '.rdp'
- '.svg'
- '.vba'
- '.vbe'
- '.vbs'
selection_location:
- TargetFilename|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- TargetFilename|contains|all:
- '\AppData\Local\Microsoft\Windows\'
- '\Content.Outlook\'
condition: all of selection_*False Positives
Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
MITRE ATT&CK
Tactics
Sub-techniques
Related Rules
Similar
Rule not foundf748c45a-f8d3-4e6f-b617-fe176f695b8f
Rule Metadata
Rule ID
fabb0e80-030c-4e3e-a104-d09676991ac3
Status
experimental
Level
high
Type
Detection
Created
Tue Jul 22
Path
rules/windows/file/file_event/file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml
Raw Tags
attack.initial-accessattack.t1566.001