Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Execution of Suspicious File Type Extension

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Max Altgelt (Nextron Systems)Created Thu Dec 09Updated Thu Nov 23c09dad97-1c78-4f71-b127-7edb2b8e491awindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic17 selectors
detection:
    known_image_extension:
        Image|endswith:
            - '.bin'
            - '.cgi'
            - '.com'
            - '.exe'
            - '.scr'
            - '.tmp' # sadly many installers use this extension
    filter_main_image: # Windows utilities without extension
        Image:
            - 'System'
            - 'Registry'
            - 'MemCompression'
            - 'vmmem'
    filter_main_msi_installers:
        Image|contains: ':\Windows\Installer\MSI'
    filter_main_driver_store:
        Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
    filter_main_msi_rollbackfiles:
        Image|contains: ':\Config.Msi\'
        Image|endswith:
            - '.rbf'
            - '.rbs'
    filter_main_windows_temp:
        - ParentImage|contains: ':\Windows\Temp\'
        - Image|contains: ':\Windows\Temp\'
    filter_main_deleted:
        Image|contains: ':\$Extend\$Deleted\'
    filter_main_empty:
        Image:
            - '-'
            - ''
    filter_main_null:
        Image: null
    filter_optional_avira:
        ParentImage|contains: ':\ProgramData\Avira\'
    filter_optional_nvidia:
        Image|contains: 'NVIDIA\NvBackend\'
        Image|endswith: '.dat'
    filter_optional_winpakpro:
        Image|contains:
            - ':\Program Files (x86)\WINPAKPRO\'
            - ':\Program Files\WINPAKPRO\'
        Image|endswith: '.ngn'
    filter_optional_myq_server:
        Image|endswith:
            - ':\Program Files (x86)\MyQ\Server\pcltool.dll'
            - ':\Program Files\MyQ\Server\pcltool.dll'
    filter_optional_wsl:
        Image|contains|all:
            - '\AppData\Local\Packages\'
            - '\LocalState\rootfs\'
    filter_optional_lzma_exe:
        Image|endswith: '\LZMA_EXE'
    filter_optional_firefox:
        Image|contains: ':\Program Files\Mozilla Firefox\'
    filter_optional_docker:
        ParentImage: 'C:\Windows\System32\services.exe'
        Image|endswith: 'com.docker.service'
    condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
pentestlaboratories.com
MITRE ATT&CK
Rule Metadata
Rule ID
c09dad97-1c78-4f71-b127-7edb2b8e491a
Status
test
Level
medium
Type
Detection
Created
Thu Dec 09
Modified
Thu Nov 23
Author
Max Altgelt (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
Raw Tags
attack.defense-evasion
View on GitHub