Threat Huntmediumtest
Non-DLL Extension File Renamed With DLL Extension
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsFile Rename
ProductWindows← raw: windows
CategoryFile Rename← raw: file_rename
Definition
Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword
Detection Logic
Detection Logic9 selectors
detection:
selection:
TargetFilename|endswith: '.dll'
filter_main_dll:
# Note: To avoid file renames
SourceFilename|endswith: '.dll'
filter_main_installers:
SourceFilename|endswith: '.tmp'
filter_main_empty_source:
SourceFilename: ''
filter_main_null_source:
SourceFilename: null
filter_main_tiworker:
Image|contains: ':\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_main_upgrade:
- Image|endswith: ':\Windows\System32\wuauclt.exe'
- TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
filter_optional_squirrel:
SourceFilename|contains: '\SquirrelTemp\temp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Likely from installers and temporary locations
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
bbfd974c-248e-4435-8de6-1e938c79c5c1
Status
test
Level
medium
Type
Threat Hunt
Created
Sat Feb 19
Modified
Sat Nov 11
Author
Path
rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml
Raw Tags
attack.defense-evasionattack.t1036.008detection.threat-hunting