Executable File Creation with Multiple Extensions
Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is
13when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a
14benign file type but is actually executable code.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Executable File Creation with Multiple Extensions"
21risk_score = 47
22rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Defense Evasion",
29 "Data Source: Elastic Endgame",
30 "Data Source: Elastic Defend",
31 "Data Source: Sysmon",
32 "Data Source: Microsoft Defender for Endpoint",
33 "Data Source: SentinelOne",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
40 file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
41 not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
42 file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1036"
50name = "Masquerading"
51reference = "https://attack.mitre.org/techniques/T1036/"
52[[rule.threat.technique.subtechnique]]
53id = "T1036.007"
54name = "Double File Extension"
55reference = "https://attack.mitre.org/techniques/T1036/007/"
56
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1204"
67name = "User Execution"
68reference = "https://attack.mitre.org/techniques/T1204/"
69[[rule.threat.technique.subtechnique]]
70id = "T1204.002"
71name = "Malicious File"
72reference = "https://attack.mitre.org/techniques/T1204/002/"
73
74
75
76[rule.threat.tactic]
77id = "TA0002"
78name = "Execution"
79reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate