Windows Binaries Write Suspicious Extensions

Detects Windows executables that writes files with suspicious extensions

Sigma rule (View on GitHub)

 1title: Windows Binaries Write Suspicious Extensions
 2id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
 3related:
 4    - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
 5      type: derived
 6status: test
 7description: Detects Windows executables that writes files with suspicious extensions
 8references:
 9    - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/08/12
12modified: 2023/03/14
13tags:
14    - attack.defense_evasion
15    - attack.t1036
16logsource:
17    category: file_event
18    product: windows
19detection:
20    selection_generic:
21        Image|endswith:
22            - '\smss.exe'
23            - '\RuntimeBroker.exe'
24            - '\sihost.exe'
25            - '\lsass.exe'
26            - '\csrss.exe'
27            - '\winlogon.exe'
28            - '\wininit.exe'
29        TargetFilename|endswith:
30            - '.bat'
31            - '.vbe'
32            - '.txt'
33            - '.vbs'
34            - '.exe'
35            - '.ps1'
36            - '.hta'
37            - '.iso'
38            - '.dll'
39    selection_special:
40        Image|endswith:
41            - '\rundll32.exe'
42            - '\svchost.exe'
43            - '\dllhost.exe'
44        TargetFilename|endswith:
45            - '.bat'
46            - '.vbe'
47            - '.vbs'
48            - '.ps1'
49            - '.hta'
50            - '.iso'
51    condition: 1 of selection_*
52falsepositives:
53    - Unknown
54level: high

References

Related rules

to-top