Executable File Creation with Multiple Extensions
Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is
13when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a
14benign file type but is actually executable code.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Executable File Creation with Multiple Extensions"
21risk_score = 47
22rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
38 file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
39 not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
40 file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and
41 not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1036"
49name = "Masquerading"
50reference = "https://attack.mitre.org/techniques/T1036/"
51[[rule.threat.technique.subtechnique]]
52id = "T1036.007"
53name = "Double File Extension"
54reference = "https://attack.mitre.org/techniques/T1036/007/"
55
56
57
58[rule.threat.tactic]
59id = "TA0005"
60name = "Defense Evasion"
61reference = "https://attack.mitre.org/tactics/TA0005/"
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1204"
66name = "User Execution"
67reference = "https://attack.mitre.org/techniques/T1204/"
68[[rule.threat.technique.subtechnique]]
69id = "T1204.002"
70name = "Malicious File"
71reference = "https://attack.mitre.org/techniques/T1204/002/"
72
73
74
75[rule.threat.tactic]
76id = "TA0002"
77name = "Execution"
78reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate
- DNS-over-HTTPS Enabled via Registry