Detectionmediumtest

Suspicious LNK Double Extension File Created

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems), François HubautCreated Mon Nov 07Updated Wed Oct 183215aa19-f060-4332-86d5-5602511f3ca8windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '.lnk'
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.jpg.'
            - '.pdf.'
            - '.ppt.'
            - '.pptx.'
            - '.xls.'
            - '.xlsx.'
    filter_main_recent:
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
    filter_optional_office_recent:
        Image|endswith:
            # Note: Some additional office application might need to be added
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
    filter_optional_office_excel:
        Image|endswith: '\excel.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
    filter_optional_office_powerpoint:
        Image|endswith: '\powerpnt.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
    filter_optional_office_word:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

False Positives

Some tuning is required for other general purpose directories of third party apps

References

Testing & Validation

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1036.007 · Double File Extension

Related Rules

DerivedDetectionhigh

Suspicious Double Extension Files

Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

3215aa19-f060-4332-86d5-5602511f3ca8

Status

test

Level

medium

Type

Detection

Created

Mon Nov 07

Modified

Wed Oct 18

Author

Nasreddine Bencherchali (Nextron Systems), François Hubaut

Path

rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml

Raw Tags

attack.defense-evasionattack.t1036.007

View on GitHub