Process Creation without .exe File Extension

 1title: Process Creation without .exe File Extension
 2id: 02dc3892-2fd0-4dd5-b2d7-62052a837abe
 3status: experimental
 4description: Detects process creations where the Image does not have a .exe file extension.
 5references:
 6    - https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf
 7author: Micah Babinski
 8date: 2022/12/11
 9tags:
10    - attack.defense_evasion
11    - attack.t1036.003
12    - attack.t1036
13    - attack.s1020
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '.exe'
20    condition: not selection
21falsepositives:
22    - Unknown
23level: high```

References

• aÔít¸µ}Bá`°¶’îAËu?Ä#�KUš†ƒ±ÌÍŠZ©J1”AŒ'?Q«âdcù=#©êsåðaÄA<¹y¼ëósÏÑ~Ny^óþ³å?2yšËË«n÷º—,Eæ¦ñÜN�z‘Á$�©Hùóv.¨'ÔàMåõ�ÍÌõ Ú .âpÐ9SNQ¹ *{Óè5°Ö`†hƒ1`Kis#qð¿s�ªÒËO–X‰1ëÇÀ²%ë§ÏXòç™ì4]WJO2iÐjP...

  
  Read More

Related rules

• Command or Scripting Interpreter Creating EXE File
• File Creation of Executables in Temp Folders (Event 4663)
• Unexpected Internal Process Name
• Process Executing with Unusual Command Lines
• Process Executing with Unusual Command Lines