Suspicious Double Extension Files
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events for file system activity including creation, modification, and deletion.
detection:
selection_gen:
TargetFilename|endswith:
- '.exe'
- '.iso'
- '.rar'
- '.svg'
- '.zip'
# - '.lnk' # legitimate links can happen just anywhere
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.gif.'
- '.jpeg.'
- '.jpg.'
- '.mp3.'
- '.mp4.'
- '.pdf.'
- '.png.'
- '.ppt.'
- '.pptx.'
- '.rtf.'
- '.svg.'
- '.txt.'
- '.xls.'
- '.xlsx.'
selection_exe:
TargetFilename|endswith:
- '.rar.exe'
- '.zip.exe'
# Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations
# filter_main_lnk:
# TargetFilename|contains:
# - '\AppData\Roaming\Microsoft\Office\Recent\'
# - '\AppData\Roaming\Microsoft\Windows\Recent\'
filter_icons_linux:
TargetFilename|startswith: '/usr/share/icons/'
condition: 1 of selection_* and not 1 of filter_*False positives are unlikely for most environments. High confidence detection.
Tactics
Sub-techniques
Suspicious Double Extension File Execution
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
This rule was derived from the related rule - both detect similar activity with different scope.
Suspicious LNK Double Extension File Created
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
Detects similar activity. Both rules may fire on overlapping events.