Detectionhightest

Windows Binaries Write Suspicious Extensions

Detects Windows executables that write files with suspicious extensions

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Fri Aug 12Updated Tue Oct 07b8fd0e93-ff58-4cbd-8f48-1c114e342e62windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection_generic:
        Image|endswith:
            - '\csrss.exe'
            - '\lsass.exe'
            - '\RuntimeBroker.exe'
            - '\sihost.exe'
            - '\smss.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.iso'
            - '.ps1'
            - '.txt'
            - '.vbe'
            - '.vbs'
    selection_special:
        Image|endswith:
            - '\dllhost.exe'
            - '\rundll32.exe'
            - '\svchost.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.hta'
            - '.iso'
            - '.ps1'
            - '.vbe'
            - '.vbs'
    filter_main_AppLockerPolicyTest:
        Image: 'C:\Windows\System32\dllhost.exe'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\__PSScriptPolicyTest_'
        TargetFilename|endswith: '.ps1'
    filter_main_script_gpo_machine:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            - 'C:\Windows\System32\GroupPolicy\DataStore\'
            - '\sysvol\'
            - '\Policies\'
            - '\Machine\Scripts\Startup\'
        TargetFilename|endswith:
            - '.ps1'
            - '.bat'
    filter_main_clipchamp:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            - 'C:\Program Files\WindowsApps\Clipchamp'
            - '.ps1'
    filter_main_powershell_preview:
        Image:
            - 'C:\Windows\system32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
        TargetFilename|startswith:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
        TargetFilename|endswith: '.ps1'
    condition: 1 of selection_* and not 1 of filter_main_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1036 · Masquerading

Related Rules

DerivedDetectionhigh

Windows Shell/Scripting Application File Write to Suspicious Folder

Detects Windows shells and scripting applications that write files to suspicious folders

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

b8fd0e93-ff58-4cbd-8f48-1c114e342e62

Status

test

Level

high

Type

Detection

Created

Fri Aug 12

Modified

Tue Oct 07

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml

Raw Tags

attack.defense-evasionattack.t1036

View on GitHub