Process Creation With Double File Extension
Detects process creation utilizing double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.
Sigma rule (View on GitHub)
1title: Process Creation With Double File Extension
2id: dd980d89-f015-4d55-b762-ef200843308c
3status: experimental
4description: Detects process creation utilizing double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.
5references:
6 - https://www.pcmag.com/encyclopedia/term/double-extension
7 - Original research by Micah Babinski
8author: Micah Babinski, @micahbabinski
9date: 2023/01/30
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13 - attack.t1036.007
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection1:
19 ParentImage|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$
20 selection2:
21 Image|re: ^.*\\[a-zA-Z0-9]*\.[a-zA-Z0-9]*\.[a-zA-Z0-9]*$
22 condition: selection1 or selection2
23falsepositives:
24 - Unknown
25level: high```
References
-
What does double extension actually mean? Find out inside PCMag's comprehensive tech and computer-related encyclopedia.
Read More
Related rules
- Suspicious Command Line Containing Right-to-Left Override
- Bumblebee WmiPrvSE execution pattern
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Command or Scripting Interpreter Creating EXE File
- File Creation of Executables in Temp Folders (Event 4663)