Download by Process with Double File Extension
Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.
Sigma rule (View on GitHub)
1title: Download by Process with Double File Extension
2id: 60dbde0d-57dc-40e4-a95c-3488f319f216
3status: experimental
4description: Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.
5references:
6 - https://isc.sans.edu/diary/rss/29470
7 - Home lab research by Micah Babinski
8author: Micah Babinski, @micahbabinski
9date: 2023/01/30
10tags:
11 - attack.defense_evasion
12 - attack.command_and_control
13 - attack.t1218
14 - attack.t1218.009
15 - attack.t1071
16 - attack.t1071.004
17logsource:
18 category: create_stream_hash
19 product: windows
20detection:
21 selection:
22 Image|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$
23 condition: selection
24falsepositives:
25 - Unknown
26level: high```
References
Related rules
- DNS Query From Process with Double File Extension
- File Creation by Process with Double File Extension
- Network Connection From Process with Double File Extension
- Suspicious Process Injection to RegAsm
- Suspicious Registry Key Added: LanmanServer Parameters