[New WTFBin]: iManage Document Protection

[cbecks2]

• Contributor Name: Chris Beckett / @cbecks_2
• Application/Executable: iManage Document Protection
• WTF Behavior Description: When Office documents are protected by iManage, upon opening them they create script files in %TEMP% with a randomly generated file extension (such as .hta, .sct, .inf, .cpl, .wsf, etc.). This happens because iManage implements the Path.GetRandomFileName Method to handle this behavior. So while most instances result in files that look like x191krbu.idj, sometimes they end up being written like x191krbu.hta which likely will wreak havoc on a good defender's SIEM rules.
• Link to Documentation of Behavior: This is undocumented behavior, but was made clear in a support ticket.
• Please provide any images for additional evidence.
  

[mttaggart]

Added in 7b8513a