iManage Document Protection
Contributed By: Chris Beckett (@cbecks_2)
Behavior Description: When Office documents are protected by iManage, upon opening them they create script files in
%TEMP% with a randomly generated file extension (such as
.wsf, etc.). This happens because iManage implements the
Path.GetRandomFileName Method to handle this behavior. So while most instances result in files that look like
x191krbu.idj, sometimes they end up being written like
x191krbu.hta which likely will wreak havoc on a good defender's SIEM rules.