iManage Document Protection
Contributed By: Chris Beckett (@cbecks_2)
Behavior Description: When Office documents are protected by iManage, upon opening them they create script files in %TEMP%
with a randomly generated file extension (such as .hta
, .sct
, .inf
, .cpl
, .wsf
, etc.). This happens because iManage implements the Path.GetRandomFileName
Method to handle this behavior. So while most instances result in files that look like x191krbu.idj
, sometimes they end up being written like x191krbu.hta
which likely will wreak havoc on a good defender's SIEM rules.
![](https://user-images.githubusercontent.com/33350823/217361838-f14083c1-93f5-4456-afcf-1086deb69eec.png)