Suspicious Double Extension File Execution

calendar Jun 5, 2025 · attack.initial-access attack.t1566.001  ·
Share on: linkedin copy

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Sigma rule (View on GitHub)

 1title: Suspicious Double Extension File Execution
 2id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
 3related:
 4    - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine
 5      type: similar
 6status: stable
 7description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
 8references:
 9    - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
10    - https://twitter.com/blackorbird/status/1140519090961825792
11    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
12author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
13date: 2019-06-26
14modified: 2025-05-30
15tags:
16    - attack.initial-access
17    - attack.t1566.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|endswith:
24            - '      .exe'
25            - '______.exe'
26            - '.doc.exe'
27            - '.doc.js'
28            - '.docx.exe'
29            - '.docx.js'
30            - '.gif.exe'
31            - '.jpeg.exe'
32            - '.jpg.exe'
33            - '.mkv.exe'
34            - '.mov.exe'
35            - '.mp3.exe'
36            - '.mp4.exe'
37            - '.pdf.exe'
38            - '.pdf.js'
39            - '.png.exe'
40            - '.ppt.exe'
41            - '.ppt.js'
42            - '.pptx.exe'
43            - '.pptx.js'
44            - '.rtf.exe'
45            - '.rtf.js'
46            - '.svg.exe'
47            - '.txt.exe'
48            - '.txt.js'
49            - '.xls.exe'
50            - '.xls.js'
51            - '.xlsx.exe'
52            - '.xlsx.js'
53            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
54        CommandLine|contains:
55            - '      .exe'
56            - '______.exe'
57            - '.doc.exe'
58            - '.doc.js'
59            - '.docx.exe'
60            - '.docx.js'
61            - '.gif.exe'
62            - '.jpeg.exe'
63            - '.jpg.exe'
64            - '.mkv.exe'
65            - '.mov.exe'
66            - '.mp3.exe'
67            - '.mp4.exe'
68            - '.pdf.exe'
69            - '.pdf.js'
70            - '.png.exe'
71            - '.ppt.exe'
72            - '.ppt.js'
73            - '.pptx.exe'
74            - '.pptx.js'
75            - '.rtf.exe'
76            - '.rtf.js'
77            - '.svg.exe'
78            - '.txt.exe'
79            - '.txt.js'
80            - '.xls.exe'
81            - '.xls.js'
82            - '.xlsx.exe'
83            - '.xlsx.js'
84            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
85    condition: selection
86falsepositives:
87    - Unknown
88level: high

References

Related rules

to-top