Executable File Creation with Multiple Extensions

  1[metadata]
  2creation_date = "2021/01/19"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is
 11when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a
 12benign file type but is actually executable code.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.file-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Executable File Creation with Multiple Extensions"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Executable File Creation with Multiple Extensions
 32
 33In Windows environments, adversaries may exploit file extensions to disguise malicious executables as benign files, such as documents or images, by appending multiple extensions. This tactic, known as masquerading, aims to deceive users and evade security measures. The detection rule identifies suspicious file creations by monitoring for executables with misleading extensions, excluding known legitimate processes, thus highlighting potential threats.
 34
 35### Possible investigation steps
 36
 37- Review the file creation event details to identify the full file path and name, focusing on the extensions used to determine if they match the suspicious pattern outlined in the query.
 38- Investigate the process that created the file by examining the process.executable field to determine if it is a known legitimate process or potentially malicious.
 39- Check the file's origin by analyzing the user account and network activity associated with the file creation event to identify any unusual or unauthorized access patterns.
 40- Utilize threat intelligence sources to assess if the file hash or any related indicators of compromise (IOCs) are known to be associated with malicious activity.
 41- Examine the file's metadata and properties to verify its authenticity and check for any signs of tampering or unusual characteristics.
 42- Conduct a behavioral analysis of the file in a controlled environment to observe any malicious actions or network communications it may attempt.
 43
 44### False positive analysis
 45
 46- Legitimate software installations may create executables with multiple extensions during setup processes. Users can exclude these by adding exceptions for known installer paths, such as "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe".
 47- System updates or patches might temporarily create files with multiple extensions. Monitor and verify these activities, and if confirmed as legitimate, add exceptions for the specific update processes.
 48- Development environments or script-based applications may generate files with multiple extensions for testing purposes. Identify these environments and exclude their specific file paths or processes to prevent false positives.
 49- Security tools or administrative scripts might use multiple extensions for legitimate purposes. Review and whitelist these tools by their executable paths or process names to avoid unnecessary alerts.
 50
 51### Response and remediation
 52
 53- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
 54- Terminate any suspicious processes associated with the masquerading executable files to halt any ongoing malicious actions.
 55- Quarantine the identified files with multiple extensions to prevent execution and further analysis.
 56- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional threats.
 57- Review and restore any altered system configurations or files to their original state to ensure system integrity.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 59- Implement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities for future incidents."""
 60risk_score = 47
 61rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f"
 62severity = "medium"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Defense Evasion",
 68    "Data Source: Elastic Endgame",
 69    "Data Source: Elastic Defend",
 70    "Data Source: Sysmon",
 71    "Data Source: Microsoft Defender for Endpoint",
 72    "Data Source: SentinelOne",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77
 78query = '''
 79file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
 80  file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
 81  not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
 82       file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe")
 83'''
 84
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1036"
 90name = "Masquerading"
 91reference = "https://attack.mitre.org/techniques/T1036/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1036.007"
 94name = "Double File Extension"
 95reference = "https://attack.mitre.org/techniques/T1036/007/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0005"
101name = "Defense Evasion"
102reference = "https://attack.mitre.org/tactics/TA0005/"
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1204"
107name = "User Execution"
108reference = "https://attack.mitre.org/techniques/T1204/"
109[[rule.threat.technique.subtechnique]]
110id = "T1204.002"
111name = "Malicious File"
112reference = "https://attack.mitre.org/techniques/T1204/002/"
113
114
115
116[rule.threat.tactic]
117id = "TA0002"
118name = "Execution"
119reference = "https://attack.mitre.org/tactics/TA0002/"