Suspicious LNK Double Extension File Created

 1title: Suspicious LNK Double Extension File Created
 2id: 3215aa19-f060-4332-86d5-5602511f3ca8
 3related:
 4    - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
 5      type: derived
 6status: experimental
 7description: |
 8        Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
 9references:
10    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
11    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
12    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
13    - https://twitter.com/malwrhunterteam/status/1235135745611960321
14    - https://twitter.com/luc4m/status/1073181154126254080
15author: Nasreddine Bencherchali (Nextron Systems), frack113
16date: 2022/11/07
17modified: 2023/10/18
18tags:
19    - attack.defense_evasion
20    - attack.t1036.007
21logsource:
22    category: file_event
23    product: windows
24detection:
25    selection:
26        TargetFilename|endswith: '.lnk'
27        TargetFilename|contains:
28            - '.doc.'
29            - '.docx.'
30            - '.jpg.'
31            - '.pdf.'
32            - '.ppt.'
33            - '.pptx.'
34            - '.xls.'
35            - '.xlsx.'
36    filter_main_recent:
37        TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
38    filter_optional_office_recent:
39        Image|endswith:
40            # Note: Some additional office application might need to be added
41            - '\excel.exe'
42            - '\powerpnt.exe'
43            - '\winword.exe'
44        TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
45    filter_optional_office_excel:
46        Image|endswith: '\excel.exe'
47        TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
48    filter_optional_office_powerpoint:
49        Image|endswith: '\powerpnt.exe'
50        TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
51    filter_optional_office_word:
52        Image|endswith: '\winword.exe'
53        TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
54    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
55falsepositives:
56    - Some tuning is required for other general purpose directories of third party apps
57level: medium

References

• Mustang Panda | Threat Actor Profile | CrowdStrike

  

  MUSTANG PANDA is a China-based adversary that has demonstrated an ability to rapidly assimilate new tools and tactics. Learn more about their operations.

  
  Read More

• China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations | Anomali

  

  This whitepaper examines a campaign believed to be conducted by China-based threat group, Mustang Panda. Read the paper from Anomali Threat Research.

  
  Read More

• A Bazar of Tricks: Following Team9’s Development Cycles

  

  Learn how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Suspicious Double Extension Files
• Process Creation With Double File Extension
• ADS Zone.Identifier Deleted By Uncommon Application
• Potentially Suspicious Office Document Executed From Trusted Location
• System File Execution Location Anomaly