ThreatFeed
Linkedin-in Youtube Facebook-f
VMRay Pricing
Try VMRay
TECHNICAL CASE STUDY

Securing public folders:
How a healthcare giant detects and stops malicious file activity with VMRay

Try VMRay

Healthcare organizations face increasing challenges in protecting sensitive data and ensuring operational continuity against sophisticated cyber threats. In this case study, the security team of one of the top three healthcare providers in the US shares how they use VMRay’s advanced detection and analysis technologies to strengthen their defenses.

Highlighting real-world threat-hunting use cases, the document showcases how integrating VMRay into an automated security workflow improves detection accuracy, accelerates response efforts, and delivers actionable insights to outpace emerging threats.

Introduction

This document outlines a series of Threat Hunting use cases focused on detecting and mitigating potential threats related to the execution or download of suspicious files within the environment. Specifically, we explore the integration of VMRay, a malware sandboxing solution, into an automated security workflow to enhance detection and response capabilities.

In this document, we will provide an in-depth overview of one such use case, in which files are executed or downloaded to specific locations—most notably the public user profile, a common target for adversaries staging malware. Suspicious files of various types, including scripts, executables, links, and archives (e.g., ZIP files), are detected through SIEM rules that monitor for file creation activity in these critical locations. Once an alert is triggered, our Security Orchestration, Automation, and Response (SOAR) platform automatically retrieves the suspect file from the endpoint and submits it to VMRay for analysis.

We also highlight real-world examples of such attacks, such as the well-known Ascension Health Care incident, where malicious activity was linked to files staged in the public user folder. While Endpoint Detection and Response (EDR) tools may cover similar behavior, they are not always foolproof. By automatically submitting suspect files to VMRay for deep analysis, we add a crucial layer of defense-in-depth.

The output from VMRay’ s analysis is used to drive programmatic decisions for further response actions, helping to prevent alert fatigue and streamline decision-making. Each file submission is tagged with a SOAR Case ID, enabling seamless cross-referencing and improved tracking of potential threats.

Additionally, we recommend periodic reviews of the VMRay dashboard, as analyzing suspicious file submissions can offer valuable insights into Potentially Unwanted Program (PUP) activity and other hidden threats within the environment.

SIEM rule overview: Threat hunt suspicious files in public user folder

This SIEM rule is designed to detect potentially suspicious files being created within the public user folder, a location commonly targeted by attackers for staging malicious files. 

The rule is configured to monitor specific file types often associated with malicious activity, such as executable files, scripts, and other potentially dangerous file formats. When a file matching the criteria is created, the SIEM generates an individual alert for each file event, enabling a targeted response.

Rule configuration details

Detection Criteria:

The rule specifically targets files created under the public user profile, focusing on specific file types typically used in malicious payloads or exploits. The rule performs a matching check for files created with these extensions (e.g., .exe, .zip, .bat, .vbs, .js, .url, etc.). It checks whether the file was created with system-level integrity (which is often a sign of privileged or malicious activity) and whether the User field in the event contains the term “Public”, indicating the file was placed in the public folder.

Sigma Rule Configuration:

The rule is built using Sigma, an open standard for writing detection rules that are portable across different SIEM platforms. This specific rule detects file creation events and filters for file types that are often associated with malware or malicious scripts.

 

Sigma Rule Example

yaml

Copy code

title: Threat Hunt Suspicious Files Public Users Folder

status: Production

description: Detections of Files being Created in Public User Folder

references:

    – See Reference List Below

author: (Redacted)

date: (Redacted)

modified: (Redacted)

logsource:

    category: File Creation

    product: EDR Solution

detection:

    selection:

        IntegrityLevel: System

        User|contains:

            – ‘Public’

    selection_special:

        – Image|endswith:

             ‘\.ico’

            – ‘\.zip’

            – ‘\.wav’

            – ‘\.dat’

            – ‘\.vbs’

            – ‘\.js’

            – ‘\.jse’

            – ‘\.bat’

            – ‘\.url’

            – ‘\.cmd’

            – ‘\.hta’

            – ‘\.ps1’

            – ‘\.com’

            – ‘\.dll’

            – ‘\.exe’

            – ‘\.conf’

            – ‘\.mui’

    condition: all of selection*

falsepositives:

    – Administrative activity

    – Scripts and administrative tools used in the monitored environment

    – Monitoring activity

level: low

File Types Monitored:

The rule specifically looks for file extensions that are commonly associated with malicious files, including but not limited to:

    • Executables: .exe, .bat, .com, .dll
    • Scripts: .vbs, .ps1, .js, .jse, .cmd, .url
    • Archives: .zip, .dat
    • Other Potentially Malicious Formats: .ico, .wav, .conf, .mui, .hta

False Positives:

The rule includes considerations for administrative or legitimate tool usage that may generate similar file creation activity. This includes scripts and tools typically used in the environment for legitimate purposes, which could result in false positives. As such, the rule has been configured to flag these activities as low severity.

SIEM use case summary

The primary goal of this SIEM rule is to detect malicious file creation in locations commonly abused by attackers, like the public folder. Once an alert is triggered by the detection of a suspicious file type in the folder, the alert is forwarded to the SOAR platform for automated processing. The file is then downloaded and submitted to VMRay for further sandbox analysis, providing enhanced threat detection and mitigating risks of malware infection.

By monitoring these types of file creation events, security teams can quickly identify and respond to potential threats, reducing the time to detect and mitigate adversary activity.

“The primary goal of this SIEM rule is to detect malicious file creation in locations commonly abused by attackers, like the public folder.”

SOAR: VMRay Playbook Workflow Overview

Once a suspicious file is detected by the SIEM rule and the alert is generated, the corresponding VMRay Playbook is automatically triggered within the SOAR platform. This playbook is designed to facilitate the automated investigation and response process, involving multiple decision points, error handling, and possible actions based on the results at each stage.

The playbook ensures that suspicious files are analyzed promptly, with the results guiding subsequent actions. Below is a high-level flow of the playbook in pseudocode, outlining the key steps and potential actions that can be taken.

VMRay Playbook Basic Flow

  1. Host Online Check

    • Action: Determine if the host is online.
      • If Host is Online: Proceed to the next step (Step 2).
      • If Host is Offline: Wait a predefined period (X) and retry the check.

  1. File Existence on Endpoint

    • Action: Verify whether the file exists on the endpoint.
      • If File Exists: Proceed to the next step (Step 3).
      • If File Does Not Exist: Consider additional actions:
        • Hash Reputation: Check the file hash against reputation databases.
        • Pull Endpoint Logs: Retrieve and analyze logs from the endpoint.
        • Scan Host: Perform a host-level scan for other potential threats.
        • Escalate or Close: Decide whether to escalate the investigation or close the case based on the findings.

  1. Submit File to VMRay

    • Action: Submit the file to VMRay for sandbox analysis.
      • If Submission Succeeds: Tag the submission with the SOAR Case ID for reference.
      • If Submission Fails (Error): Handle errors appropriately.
        • Possible Actions:
          • Escalate: Raise the issue to higher-level security personnel for further investigation.
          • Retry: Attempt to resubmit the file.
          • Other Actions: As in Step 2, perform additional actions such as:
            • Hash Reputation: Check the file hash.
            • Pull Endpoint Logs: Retrieve logs for deeper analysis.
            • Scan Host: Run a host-level scan.

  1. Receive and Process Report Results

    • Action: Retrieve the results of the sandbox analysis from VMRay.
      • If Report is Clean or Suspicious: Close the case or escalate based on the severity.
      • If Report is Malicious: Follow up with response actions as needed.
      • Other Possible Actions:
        • Hash Reputation: Verify the reputation of the file hash.
        • Pull Endpoint Logs: Analyze endpoint logs for further details.
        • Scan Host: Conduct a thorough scan of the host.
        • Quarantine Host: If the host is compromised, quarantine it to prevent further damage.
        • Block Hash: Block the malicious file’s hash across the environment to prevent execution.
        • Remove File: If the file is confirmed malicious, remove it from the host.

  1. Set Up Email Alerts in VMRay

    • Action: Configure email alerts to notify security teams of any changes to the file’s status.
      • Note: Files may initially be flagged as clean or suspicious but could later be reclassified as malicious after further analysis (e.g., recursive submission or deeper sandbox examination). Email alerts will ensure that the security team is updated on these changes in real-time.

Tagging with SOAR Case ID

To maintain traceability, each file submission is tagged with the SOAR Case ID. This allows security teams to easily reference and track the file across different stages of investigation, whether in the VMRay dashboard or in email alerts. 

This ensures that all actions related to a particular file are linked back to the originating alert and associated investigation case.

Reference list for the Public Folder Use Case

The following references provide additional context and insights into the behavior and techniques associated with the exploitation of public folders and other similar attack vectors. These resources include reports from various threat intelligence organizations, government agencies, and security researchers. They are particularly valuable for understanding how attackers use public folders and other locations for malware staging, file execution, and data exfiltration.

  1. Palo Alto Networks – Repellent Scorpius: Cicada3301 Ransomware
  2. CISA – Cybersecurity Advisory AA23-061A
  3. JPCERT – Attack Activities by Kimsuky Targeting Japanese Organizations
  4. Australian Cyber Security Centre – APT40 Advisory
  5. CISA – Cybersecurity Advisory AA24-190A
  6. CISA – Cybersecurity Advisory AA24-131A
  7. Slovak CSIRT – OfflRouter Analysis
  8. Talos Intelligence – OfflRouter Virus
  9. The Hacker News – Python-based Snake Info Stealer
  10. Cyble – Festive Facade: Multi-Stage Malware
  11. Trend Micro – Analyzing AsyncRAT Code Injection
  12. fyi – Rhysida Ransomware Detection Opportunities
  13. Arctic Wolf – TellMeTheTruth Exploitation
  14. Elastic – Introducing the REF5961 Intrusion Set
  15. AhnLab – Analysis of Malicious Activities
  16. Zscaler – Toitoin Trojan Analysis
  17. Trend Micro – Malvertising Used as Entry Vector for BlackCat
  18. Securonix – Multistorm Leverages Python-based Loader
  19. Checkpoint – Stealth Soldier Backdoor Used in Targeted Espionage Attacks
  20. CERT-UA – Cybersecurity Advisory 4818341
  21. CERT-UA – Cybersecurity Advisory 4501891
  22. CERT-UA – Cybersecurity Advisory 3761023
  23. CERT-UA – Cybersecurity Advisory 3349703
  24. CERT-UA – Cybersecurity Advisory 2394117
  25. GTELTSC – Microsoft Exchange 0-Day RCE Vulnerability
  26. Rapid7 – Post-Authentication Zero-Day Vulnerabilities in Microsoft Exchange
  27. CERT-UA – Cybersecurity Advisory 405538
  28. CERT-UA – Cybersecurity Advisory 160530
  29. CERT-UA – Cybersecurity Advisory 40559
  30. CERT-UA – Cybersecurity Advisory 39138
  31. Checkpoint – Chinese Threat Actors Targeting Europe
  32. Bitdefender – RDStealer Exfiltration Malware
  33. Blackberry – Decoding Romcom Behaviors and Opportunities for Detection
  34. Talos Intelligence – Lazarus Quiterat
  35. KnownSec 404 – APT North Korean Operations: Offensive Analysis
  36. Seqrite – Sidecopy’s Multi-Platform Onslaught
  37. Sophos – Vice Society and Rhysida Ransomware
  38. Fortinet – Rhysida Ransomware Intrusion
  39. AhnLab – Analysis of New Threats
  40. Checkpoint – MosesStaff Targeting Israeli Companies
  41. ClearSky – No Justice Wiper
  42. Fortinet – Lumma Variant on YouTube
  43. Trend Micro – CVE-2023-36025 Exploited for Defense Evasion
  44. SentinelOne – A Glimpse into Future ScarCruft Campaigns
  45. Arctic Wolf – CherryLoader Go-based Loader
  46. Elastic – Unmasking Financial Services Intrusion
  47. CSIRT-CTI – Stately Taurus Targets Myanmar
  48. Fortinet – Python Info Stealer Malicious Excel Document

Other Example Use Cases

The following use cases serve as examples of the types of suspicious file activities that can be monitored and automated within your environment. These are not an exhaustive list, but they represent a variety of common tactics used by attackers to execute or distribute malicious files. Each of these use cases is designed to detect specific behaviors related to file execution or unusual file activity that may indicate a security threat.

  1. Files Executed from the User’s Folder

  • Description: Malicious files are often executed from user directories, particularly user-specific folders like the Public folder, which may be exploited by attackers to stage and execute payloads. Monitoring file execution from these locations helps detect unauthorized or suspicious activity that bypasses traditional security controls.
  • Detection Strategy: SIEM rules monitor the User folder for file executions or suspicious file types, while automated playbooks handle submissions to VMRay for further analysis and response.

 

  1. Files Writing .sys Files to the Driver’s Directory

  • Description: Malicious files may attempt to write system-level driver files to the driver’s directory (typically C:\Windows\System32\drivers\) in an attempt to gain elevated privileges or establish persistence. This type of activity is highly indicative of potential rootkit or driver-based malware.
  • Detection Strategy: A rule is created to detect file writes to known driver directories, specifically looking for system files (e.g., .sys files) being written to locations outside of normal user behavior. If detected, automated workflows submit the file for sandbox analysis and escalate as necessary.

 

  1. Executable Files or Scripts from RAR Archives

  • Description: Attackers frequently distribute malicious payloads within archive files like RAR or ZIP files. These files may contain executable scripts, batch files, or other potentially dangerous executables. The execution of files extracted from these archives often represents an attempt to bypass traditional scanning mechanisms by hiding payloads within compressed formats.
  • Detection Strategy: The SIEM system looks for unusual behavior where executables or scripts are extracted or run directly from RAR files. Alerts are triggered for file extractions in suspicious directories, and the files are then analyzed by VMRay.

 

  1. Files Executed from Mounted Drives

  • Description: Mounted drives (e.g., USB drives, network shares, or ISO images) are common vectors for malware delivery, especially in targeted attacks. Files executed from these drives may be malicious, as attackers often use portable media to move and execute payloads on compromised systems.
  • Detection Strategy: Monitor for executable or script files running from mounted drives, including USB storage devices and network-mounted volumes. Such activity is flagged, and the file is automatically submitted for analysis. The system can also be configured to block such executions based on specific risk thresholds.

 

  1. Office Files Writing Executables

  • Description: Office documents (such as Word, Excel, and PowerPoint files) are commonly used in phishing campaigns. These documents may contain embedded macros, which, when executed, can write malicious executables to disk or launch external scripts. Monitoring this activity can help detect and block early-stage attacks before they escalate.
  • Detection Strategy: SIEM rules detect file write actions triggered by Office files, particularly when macros or other embedded objects attempt to execute or download additional files. These events are flagged, and any suspicious files are automatically sent to VMRay for sandbox analysis.

Summary:

These example use cases reflect common attack vectors that are critical to monitor for in modern environments. By automating the detection, submission, and analysis of suspicious file behaviors, organizations can proactively identify threats and mitigate potential damage.

While these examples are not all-inclusive, they represent key tactics and techniques commonly used by adversaries to execute or deliver malicious payloads.

“The automated integration with tools like VMRay and the SOAR platform allows for fast and efficient triage, investigation, and response to these threats, ensuring that suspicious file activity is promptly handled and mitigated before it can cause harm.

Table of Contents

Explore valuable Cybersecurity Resources

VMRay cybersecurity blog

Cybersecurity Blog

Check our latest insights on malware, phishing, sandboxing, AI in cybersecurity, and much more.

LEARN MORE

VMRay Academy

VMRay Academy

Browse the courses about alert handling, deep threat analysis and response, threat intelligence generation and more.

Browse The Courses

VMRay Malware Analysis Spotlight

Malware Analysis Reports

See real-world examples of VMRay’s best-in-class malware analysis and detection platform.

Access the reports

Subscribe to our Newsletter:

Linkedin-in Youtube Facebook-f

Solutions

Products

Why VMRay

Resources

Missed the headlines?

We’re featured in:

image 15
image 16
image 17
image 18
© Copyright 2013-2025 VMRay

ThreatFeed

Linkedin-in Youtube Facebook-f
VMRay Pricing
Try VMRay

Tech Insights Deep Dive of April:
Detection Strategies & Operational Excellence

join VMRay for two powerhouse webinars designed to sharpen your threat detection and response capabilities — featuring a special joint session with Red Canary:

Live session's over. Watch the on-demand video to learn how VMRay and Red Canary combine forces to deliver faster, smarter threat detection!

Watch The Video

Learn how to cut phishing triage time with automated detonation and deep analysis — quickly uncover threats while improving response accuracy!

Watch The Video