Executable File Creation with Multiple Extensions
Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows", "m365_defender"]
4maturity = "production"
5updated_date = "2024/06/25"
6
7[rule]
8author = ["Elastic"]
9description = """
10Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is
11when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a
12benign file type but is actually executable code.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Executable File Creation with Multiple Extensions"
19risk_score = 47
20rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
21setup = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
26`event.ingested` to @timestamp.
27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
28"""
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Defense Evasion",
35 "Data Source: Elastic Endgame",
36 "Data Source: Elastic Defend",
37 "Data Source: Sysmon",
38 "Data Source: Microsoft Defender for Endpoint"
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
45 file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
46 not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
47 file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1036"
55name = "Masquerading"
56reference = "https://attack.mitre.org/techniques/T1036/"
57[[rule.threat.technique.subtechnique]]
58id = "T1036.007"
59name = "Double File Extension"
60reference = "https://attack.mitre.org/techniques/T1036/007/"
61
62
63
64[rule.threat.tactic]
65id = "TA0005"
66name = "Defense Evasion"
67reference = "https://attack.mitre.org/tactics/TA0005/"
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1204"
72name = "User Execution"
73reference = "https://attack.mitre.org/techniques/T1204/"
74[[rule.threat.technique.subtechnique]]
75id = "T1204.002"
76name = "Malicious File"
77reference = "https://attack.mitre.org/techniques/T1204/002/"
78
79
80
81[rule.threat.tactic]
82id = "TA0002"
83name = "Execution"
84reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Local Account TokenFilter Policy Disabled
- Suspicious Antimalware Scan Interface DLL
- Adobe Hijack Persistence
- Bypass UAC via Event Viewer
- Creation or Modification of Domain Backup DPAPI private key