Detectionmediumtest
Suspicious Appended Extension
Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsFile Rename
ProductWindows← raw: windows
CategoryFile Rename← raw: file_rename
Definition
Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword
Detection Logic
Detection Logic3 selectors
detection:
selection:
SourceFilename|endswith:
- '.doc'
- '.docx'
- '.jpeg'
- '.jpg'
- '.lnk'
- '.pdf'
- '.png'
- '.pst'
- '.rtf'
- '.xls'
- '.xlsx'
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.jpeg.'
- '.jpg.'
- '.lnk.'
- '.pdf.'
- '.png.'
- '.pst.'
- '.rtf.'
- '.xls.'
- '.xlsx.'
filter_main_generic:
TargetFilename|endswith:
# Note: Please add more used extensions by backup or recovery software
- '.backup'
- '.bak'
- '.old'
- '.orig'
- '.temp'
- '.tmp'
filter_optional_anaconda:
TargetFilename|contains: ':\ProgramData\Anaconda3\'
TargetFilename|endswith: '.c~'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Backup software
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
e3f673b3-65d1-4d80-9146-466f8b63fa99
Status
test
Level
medium
Type
Detection
Created
Sat Jul 16
Modified
Sat Nov 11
Author
Path
rules/windows/file/file_rename/file_rename_win_ransomware.yml
Raw Tags
attack.impactattack.t1486