Rename Common File to DLL File

 1title: Rename Common File to DLL File
 2id: bbfd974c-248e-4435-8de6-1e938c79c5c1
 3status: experimental
 4description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection
 5references:
 6    - https://twitter.com/ffforward/status/1481672378639912960
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
 8author: frack113
 9date: 2022/02/19
10modified: 2023/01/02
11tags:
12    - attack.defense_evasion
13    - attack.t1036.008
14logsource:
15    product: windows
16    category: file_rename
17    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
18detection:
19    to_dll:
20        TargetFilename|endswith: '.dll'
21    filter_from_dll:
22        - SourceFilename|endswith:
23            - '.dll'
24            - '.tmp'  # VSCode FP
25        - SourceFilename|contains:
26            - '.dll.'
27            - '\SquirrelTemp\temp'
28    filter_empty_source:
29        SourceFilename: ''
30    filter_non_existing_source:
31        SourceFilename: null
32    filter_tiworker:
33        Image|startswith: 'C:\Windows\WinSxS\'
34        Image|endswith: '\TiWorker.exe'
35    filter_upgrade:
36        - Image: 'C:\Windows\System32\wuauclt.exe'
37        - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\'
38    filter_program_files:
39        Image|startswith:
40            - 'C:\Program Files (x86)\'
41            - 'C:\Program Files\'
42    condition: to_dll and not 1 of filter*
43falsepositives:
44    - Application installation
45level: medium