Suspicious Double Extension File Execution

calendar Feb 28, 2023 · attack.initial_access attack.t1566.001  ·
Share on: linkedin copy

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Sigma rule (View on GitHub)

 1title: Suspicious Double Extension File Execution
 2id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
 3related:
 4    - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine
 5      type: similar
 6status: stable
 7description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
 8references:
 9    - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
10    - https://twitter.com/blackorbird/status/1140519090961825792
11author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
12date: 2019/06/26
13modified: 2023/02/28
14tags:
15    - attack.initial_access
16    - attack.t1566.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        Image|endswith:
23            - '.doc.exe'
24            - '.docx.exe'
25            - '.xls.exe'
26            - '.xlsx.exe'
27            - '.ppt.exe'
28            - '.pptx.exe'
29            - '.rtf.exe'
30            - '.pdf.exe'
31            - '.txt.exe'
32            - '      .exe'
33            - '______.exe'
34            - '.doc.js'
35            - '.docx.js'
36            - '.xls.js'
37            - '.xlsx.js'
38            - '.ppt.js'
39            - '.pptx.js'
40            - '.rtf.js'
41            - '.pdf.js'
42            - '.txt.js'
43        CommandLine|contains:
44            - '.doc.exe'
45            - '.docx.exe'
46            - '.xls.exe'
47            - '.xlsx.exe'
48            - '.ppt.exe'
49            - '.pptx.exe'
50            - '.rtf.exe'
51            - '.pdf.exe'
52            - '.txt.exe'
53            - '      .exe'
54            - '______.exe'
55            - '.doc.js'
56            - '.docx.js'
57            - '.xls.js'
58            - '.xlsx.js'
59            - '.ppt.js'
60            - '.pptx.js'
61            - '.rtf.js'
62            - '.pdf.js'
63            - '.txt.js'
64    condition: selection
65falsepositives:
66    - Unknown
67level: critical

References

Related rules

to-top