feat(threat-hunting): Suspicious command involving Public folder

source/threat-hunting/index.md

@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-08-24
+updated: 2025-09-21
 ---
 
 - [Generate ad_users.csv](ldap-ad-users)
@@ -104,6 +104,7 @@ updated: 2025-08-24
 - [Rundll32 Scheduled Task](rundll32-scheduled-task)
 - [SIDHistory compromise](sidhistory-compromise)
 - [SQL Server spawning Cmd.exe](sql-server-spawning-cmd-exe)
+- [Suspicious command involving Public folder](suspicious-command-public-folder)
 - [Splunk Events Deletion](splunk-events-deletion)
 - [SafeDllSearchMode is modified](safedllsearchmode-is-modified)
 - [Suspicious Logon/Logoff Events](suspicious-logon-logoff-events)

source/threat-hunting/suspicious-command-public-folder.md

@@ -0,0 +1,16 @@
+---
+title: Suspicious command involving Public folder
+layout: page
+date: 2025-09-21
+---
+
+References: [1](https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/#execution)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process="*C:\\Users\\Public\\*" BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z")
+| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email
+| table Time, index, host, EventCode, EventDescription, process, user, Name, Email
+```