Rule Library
Sigma Rules
2 rules found
3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest
Suspicious Appended Extension
Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
WindowsFile Rename
TA0040 · ImpactT1486 · Data Encrypted for Impact
François HubautSat Jul 16windows
Threat Huntmediumtest
Non-DLL Extension File Renamed With DLL Extension
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
WindowsFile Rename
TA0005 · Defense EvasionT1036.008 · Masquerade File Typedetection.threat-hunting
François HubautSat Feb 19windows