Executable File Creation with Multiple Extensions

Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/19"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is
13when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a
14benign file type but is actually executable code.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Executable File Creation with Multiple Extensions"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25risk_score = 47
26rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
34  file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
35  not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
36       file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and
37  not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1036"
45name = "Masquerading"
46reference = "https://attack.mitre.org/techniques/T1036/"
47[[rule.threat.technique.subtechnique]]
48id = "T1036.007"
49name = "Double File Extension"
50reference = "https://attack.mitre.org/techniques/T1036/007/"
51
52
53
54[rule.threat.tactic]
55id = "TA0005"
56name = "Defense Evasion"
57reference = "https://attack.mitre.org/tactics/TA0005/"
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1204"
62name = "User Execution"
63reference = "https://attack.mitre.org/techniques/T1204/"
64[[rule.threat.technique.subtechnique]]
65id = "T1204.002"
66name = "Malicious File"
67reference = "https://attack.mitre.org/techniques/T1204/002/"
68
69
70
71[rule.threat.tactic]
72id = "TA0002"
73name = "Execution"
74reference = "https://attack.mitre.org/tactics/TA0002/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

Related rules

to-top