Windows Binaries Write Suspicious Extensions

calendar Apr 15, 2024 · attack.defense_evasion attack.t1036  ·
Share on: linkedin copy

Detects Windows executables that write files with suspicious extensions

Sigma rule (View on GitHub)

 1title: Windows Binaries Write Suspicious Extensions
 2id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
 3related:
 4    - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
 5      type: derived
 6status: test
 7description: Detects Windows executables that write files with suspicious extensions
 8references:
 9    - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/08/12
12modified: 2024/04/15
13tags:
14    - attack.defense_evasion
15    - attack.t1036
16logsource:
17    category: file_event
18    product: windows
19detection:
20    selection_generic:
21        Image|endswith:
22            - '\csrss.exe'
23            - '\lsass.exe'
24            - '\RuntimeBroker.exe'
25            - '\sihost.exe'
26            - '\smss.exe'
27            - '\wininit.exe'
28            - '\winlogon.exe'
29        TargetFilename|endswith:
30            - '.bat'
31            - '.dll'
32            - '.exe'
33            - '.hta'
34            - '.iso'
35            - '.ps1'
36            - '.txt'
37            - '.vbe'
38            - '.vbs'
39    selection_special:
40        Image|endswith:
41            - '\dllhost.exe'
42            - '\rundll32.exe'
43            - '\svchost.exe'
44        TargetFilename|endswith:
45            - '.bat'
46            - '.hta'
47            - '.iso'
48            - '.ps1'
49            - '.vbe'
50            - '.vbs'
51    filter_main_AppLockerPolicyTest:
52        Image: 'C:\Windows\System32\dllhost.exe'
53        TargetFilename|contains|all:
54            - ':\Users\'
55            - '\AppData\Local\Temp\__PSScriptPolicyTest_'
56        TargetFilename|endswith: '.ps1'
57    filter_main_script_gpo_machine:
58        Image: 'C:\Windows\system32\svchost.exe'
59        TargetFilename|contains|all:
60            - 'C:\Windows\System32\GroupPolicy\DataStore\'
61            - '\sysvol\'
62            - '\Policies\'
63            - '\Machine\Scripts\Startup\'
64        TargetFilename|endswith:
65            - '.ps1'
66            - '.bat'
67    condition: 1 of selection_* and not 1 of filter_main_*
68falsepositives:
69    - Unknown
70level: high

References

Related rules

to-top