Execution of Suspicious File Type Extension

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Sigma rule (View on GitHub)

 1title: Execution of Suspicious File Type Extension
 2id: c09dad97-1c78-4f71-b127-7edb2b8e491a
 3status: test
 4description: |
 5    Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
 6    This rule might require some initial baselining to align with some third party tooling in the user environment.    
 7references:
 8    - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 9author: Max Altgelt (Nextron Systems)
10date: 2021-12-09
11modified: 2023-11-23
12tags:
13    - attack.defense-evasion
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    known_image_extension:
19        Image|endswith:
20            - '.bin'
21            - '.cgi'
22            - '.com'
23            - '.exe'
24            - '.scr'
25            - '.tmp' # sadly many installers use this extension
26    filter_main_image: # Windows utilities without extension
27        Image:
28            - 'System'
29            - 'Registry'
30            - 'MemCompression'
31            - 'vmmem'
32    filter_main_msi_installers:
33        Image|contains: ':\Windows\Installer\MSI'
34    filter_main_driver_store:
35        Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
36    filter_main_msi_rollbackfiles:
37        Image|contains: ':\Config.Msi\'
38        Image|endswith:
39            - '.rbf'
40            - '.rbs'
41    filter_main_windows_temp:
42        - ParentImage|contains: ':\Windows\Temp\'
43        - Image|contains: ':\Windows\Temp\'
44    filter_main_deleted:
45        Image|contains: ':\$Extend\$Deleted\'
46    filter_main_empty:
47        Image:
48            - '-'
49            - ''
50    filter_main_null:
51        Image: null
52    filter_optional_avira:
53        ParentImage|contains: ':\ProgramData\Avira\'
54    filter_optional_nvidia:
55        Image|contains: 'NVIDIA\NvBackend\'
56        Image|endswith: '.dat'
57    filter_optional_winpakpro:
58        Image|contains:
59            - ':\Program Files (x86)\WINPAKPRO\'
60            - ':\Program Files\WINPAKPRO\'
61        Image|endswith: '.ngn'
62    filter_optional_myq_server:
63        Image|endswith:
64            - ':\Program Files (x86)\MyQ\Server\pcltool.dll'
65            - ':\Program Files\MyQ\Server\pcltool.dll'
66    filter_optional_wsl:
67        Image|contains|all:
68            - '\AppData\Local\Packages\'
69            - '\LocalState\rootfs\'
70    filter_optional_lzma_exe:
71        Image|endswith: '\LZMA_EXE'
72    filter_optional_firefox:
73        Image|contains: ':\Program Files\Mozilla Firefox\'
74    filter_optional_docker:
75        ParentImage: 'C:\Windows\System32\services.exe'
76        Image|endswith: 'com.docker.service'
77    condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
78falsepositives:
79    - Unknown
80level: medium

References

Related rules

to-top