Executable File Creation with Multiple Extensions
Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is
13when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a
14benign file type but is actually executable code.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Executable File Creation with Multiple Extensions"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25risk_score = 47
26rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
34 file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
35 not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
36 file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and
37 not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1036"
45name = "Masquerading"
46reference = "https://attack.mitre.org/techniques/T1036/"
47[[rule.threat.technique.subtechnique]]
48id = "T1036.007"
49name = "Double File Extension"
50reference = "https://attack.mitre.org/techniques/T1036/007/"
51
52
53
54[rule.threat.tactic]
55id = "TA0005"
56name = "Defense Evasion"
57reference = "https://attack.mitre.org/tactics/TA0005/"
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1204"
62name = "User Execution"
63reference = "https://attack.mitre.org/techniques/T1204/"
64[[rule.threat.technique.subtechnique]]
65id = "T1204.002"
66name = "Malicious File"
67reference = "https://attack.mitre.org/techniques/T1204/002/"
68
69
70
71[rule.threat.tactic]
72id = "TA0002"
73name = "Execution"
74reference = "https://attack.mitre.org/tactics/TA0002/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested
and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested
to @timestamp for this rule to work.
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools