IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Exchange Mailbox Export via PowerShell Executable File with Unusual Extension »
Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference

Executable File Creation with Multiple Extensions

edit

Executable File Creation with Multiple Extensions

edit

Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend

Version: 106

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and
  file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
  not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
       file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and
  not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl")

Framework: MITRE ATT&CKTM

« Exchange Mailbox Export via PowerShell Executable File with Unusual Extension »