Execution of Suspicious File Type Extension

calendar Dec 21, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Sigma rule (View on GitHub)

 1title: Execution of Suspicious File Type Extension
 2id: c09dad97-1c78-4f71-b127-7edb2b8e491a
 3status: experimental
 4description: |
 5    Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
 6    This rule might require some initial baselining to align with some third party tooling in the user environment.    
 7references:
 8    - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 9author: Max Altgelt (Nextron Systems)
10date: 2021/12/09
11modified: 2023/11/23
12tags:
13    - attack.defense_evasion
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    known_image_extension:
19        Image|endswith:
20            - '.bin'
21            - '.cgi'
22            - '.com'
23            - '.exe'
24            - '.scr'
25            - '.tmp' # sadly many installers use this extension
26    filter_main_image: # Windows utilities without extension
27        Image:
28            - 'System'
29            - 'Registry'
30            - 'MemCompression'
31            - 'vmmem'
32    filter_main_msi_installers:
33        Image|contains: ':\Windows\Installer\MSI'
34    filter_main_driver_store:
35        Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
36    filter_main_msi_rollbackfiles:
37        Image|contains: ':\Config.Msi\'
38        Image|endswith:
39            - '.rbf'
40            - '.rbs'
41    filter_main_windows_temp:
42        - ParentImage|contains: ':\Windows\Temp\'
43        - Image|contains: ':\Windows\Temp\'
44    filter_main_deleted:
45        Image|contains: ':\$Extend\$Deleted\'
46    filter_main_empty:
47        Image:
48            - '-'
49            - ''
50    filter_main_null:
51        Image: null
52    filter_optional_avira:
53        ParentImage|contains: ':\ProgramData\Avira\'
54    filter_optional_nvidia:
55        Image|contains: 'NVIDIA\NvBackend\'
56        Image|endswith: '.dat'
57    filter_optional_winpakpro:
58        Image|contains:
59            - ':\Program Files (x86)\WINPAKPRO\'
60            - ':\Program Files\WINPAKPRO\'
61        Image|endswith: '.ngn'
62    filter_optional_myq_server:
63        Image|endswith:
64            - ':\Program Files (x86)\MyQ\Server\pcltool.dll'
65            - ':\Program Files\MyQ\Server\pcltool.dll'
66    filter_optional_wsl:
67        Image|contains|all:
68            - '\AppData\Local\Packages\'
69            - '\LocalState\rootfs\'
70    filter_optional_lzma_exe:
71        Image|endswith: '\LZMA_EXE'
72    filter_optional_firefox:
73        Image|contains: ':\Program Files\Mozilla Firefox\'
74    filter_optional_docker:
75        ParentImage: 'C:\Windows\System32\services.exe'
76        Image|endswith: 'com.docker.service'
77    condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
78falsepositives:
79    - Unknown
80level: medium

References

  • Process Ghosting

    Understanding how endpoint products work to identify malicious actions can lead to the discovery of security gaps which can be used for evasion during red team operations. The technique Process Her…


    Read More

Related rules

to-top