Windows Binaries Write Suspicious Extensions
Detects Windows executables that write files with suspicious extensions
Sigma rule (View on GitHub)
1title: Windows Binaries Write Suspicious Extensions
2id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
3related:
4 - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
5 type: derived
6status: test
7description: Detects Windows executables that write files with suspicious extensions
8references:
9 - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-08-12
12modified: 2024-04-15
13tags:
14 - attack.defense-evasion
15 - attack.t1036
16logsource:
17 category: file_event
18 product: windows
19detection:
20 selection_generic:
21 Image|endswith:
22 - '\csrss.exe'
23 - '\lsass.exe'
24 - '\RuntimeBroker.exe'
25 - '\sihost.exe'
26 - '\smss.exe'
27 - '\wininit.exe'
28 - '\winlogon.exe'
29 TargetFilename|endswith:
30 - '.bat'
31 - '.dll'
32 - '.exe'
33 - '.hta'
34 - '.iso'
35 - '.ps1'
36 - '.txt'
37 - '.vbe'
38 - '.vbs'
39 selection_special:
40 Image|endswith:
41 - '\dllhost.exe'
42 - '\rundll32.exe'
43 - '\svchost.exe'
44 TargetFilename|endswith:
45 - '.bat'
46 - '.hta'
47 - '.iso'
48 - '.ps1'
49 - '.vbe'
50 - '.vbs'
51 filter_main_AppLockerPolicyTest:
52 Image: 'C:\Windows\System32\dllhost.exe'
53 TargetFilename|contains|all:
54 - ':\Users\'
55 - '\AppData\Local\Temp\__PSScriptPolicyTest_'
56 TargetFilename|endswith: '.ps1'
57 filter_main_script_gpo_machine:
58 Image: 'C:\Windows\system32\svchost.exe'
59 TargetFilename|contains|all:
60 - 'C:\Windows\System32\GroupPolicy\DataStore\'
61 - '\sysvol\'
62 - '\Policies\'
63 - '\Machine\Scripts\Startup\'
64 TargetFilename|endswith:
65 - '.ps1'
66 - '.bat'
67 condition: 1 of selection_* and not 1 of filter_main_*
68falsepositives:
69 - Unknown
70level: high
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution