Suspicious Double Extension File Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith " .exe,______.exe,.doc.exe,.doc.js,.docx.exe,.docx.js,.gif.exe,.jpeg.exe,.jpg.exe,.mkv.exe,.mov.exe,.mp3.exe,.mp4.exe,.pdf.exe,.pdf.js" OR PROCESSNAME endswith ".png.exe,.ppt.exe,.ppt.js,.pptx.exe,.pptx.js,.rtf.exe,.rtf.js,.svg.exe,.txt.exe,.txt.js,.xls.exe,.xls.js,.xlsx.exe,.xlsx.js,⠀⠀⠀⠀⠀⠀.exe") AND (COMMANDLINE contains " .exe,______.exe,.doc.exe,.doc.js,.docx.exe,.docx.js,.gif.exe,.jpeg.exe,.jpg.exe,.mkv.exe,.mov.exe,.mp3.exe,.mp4.exe,.pdf.exe,.pdf.js" OR COMMANDLINE contains ".png.exe,.ppt.exe,.ppt.js,.pptx.exe,.pptx.js,.rtf.exe,.rtf.js,.svg.exe,.txt.exe,.txt.js,.xls.exe,.xls.js,.xlsx.exe,.xlsx.js,⠀⠀⠀⠀⠀⠀.exe") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
