Suspicious Parent Double Extension File Execution
Detect execution of suspicious double extension files in ParentCommandLine
Sigma rule (View on GitHub)
1title: Suspicious Parent Double Extension File Execution
2id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
3related:
4 - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine
5 type: derived
6status: test
7description: Detect execution of suspicious double extension files in ParentCommandLine
8references:
9 - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
10 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
11author: frack113, Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-06
13modified: 2023-02-28
14tags:
15 - attack.defense-evasion
16 - attack.t1036.007
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - ParentImage|endswith:
23 - '.doc.lnk'
24 - '.docx.lnk'
25 - '.xls.lnk'
26 - '.xlsx.lnk'
27 - '.ppt.lnk'
28 - '.pptx.lnk'
29 - '.rtf.lnk'
30 - '.pdf.lnk'
31 - '.txt.lnk'
32 - '.doc.js'
33 - '.docx.js'
34 - '.xls.js'
35 - '.xlsx.js'
36 - '.ppt.js'
37 - '.pptx.js'
38 - '.rtf.js'
39 - '.pdf.js'
40 - '.txt.js'
41 - ParentCommandLine|contains:
42 - '.doc.lnk'
43 - '.docx.lnk'
44 - '.xls.lnk'
45 - '.xlsx.lnk'
46 - '.ppt.lnk'
47 - '.pptx.lnk'
48 - '.rtf.lnk'
49 - '.pdf.lnk'
50 - '.txt.lnk'
51 - '.doc.js'
52 - '.docx.js'
53 - '.xls.js'
54 - '.xlsx.js'
55 - '.ppt.js'
56 - '.pptx.js'
57 - '.rtf.js'
58 - '.pdf.js'
59 - '.txt.js'
60 condition: selection
61falsepositives:
62 - Unknown
63level: high
References
Related rules
- Suspicious Double Extension Files
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern