• iManage Document Protection

    Contributed By: Chris Beckett (@cbecks_2)

    Behavior Description: When Office documents are protected by iManage, upon opening them they create script files in %TEMP% with a randomly generated file extension (such as .hta, .sct, .inf, .cpl, .wsf, etc.). This happens because iManage implements the Path.GetRandomFileName Method to handle this behavior. So while most instances result in files that look like x191krbu.idj, sometimes they end up being written like x191krbu.hta which likely will wreak havoc on a good defender's SIEM rules.