Executable File Creation with Multiple Extensions
Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is
13when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a
14benign file type but is actually executable code.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Executable File Creation with Multiple Extensions"
21risk_score = 47
22rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Defense Evasion",
29 "Data Source: Elastic Endgame",
30 "Data Source: Elastic Defend",
31 "Data Source: Sysmon",
32 "Data Source: Microsoft Defender for Endpoint",
33 "Data Source: SentinelOne",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
40 file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
41 not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
42 file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1036"
50name = "Masquerading"
51reference = "https://attack.mitre.org/techniques/T1036/"
52[[rule.threat.technique.subtechnique]]
53id = "T1036.007"
54name = "Double File Extension"
55reference = "https://attack.mitre.org/techniques/T1036/007/"
56
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1204"
67name = "User Execution"
68reference = "https://attack.mitre.org/techniques/T1204/"
69[[rule.threat.technique.subtechnique]]
70id = "T1204.002"
71name = "Malicious File"
72reference = "https://attack.mitre.org/techniques/T1204/002/"
73
74
75
76[rule.threat.tactic]
77id = "TA0002"
78name = "Execution"
79reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Adding Hidden File Attribute via Attrib
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History