Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
Detect execution of suspicious double extension files in ParentCommandLine
Detects process creation utilizing double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.