IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Potential DLL Side-Loading via Microsoft Antimalware Service Executable Process Execution from an Unusual Directory »
Elastic Docs Elastic Security Solution [8.6] Downloadable rule update v8.2.1

Executable File Creation with Multiple Extensions

edit

Executable File Creation with Multiple Extensions

edit

Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 6

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit











Rule query
edit








file where event.type == "creation" and file.extension : "exe" and
  file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and
  not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and
       file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and
  not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl")




Framework: MITRE ATT&CKTM
















« Potential DLL Side-Loading via Microsoft Antimalware Service Executable


Process Execution from an Unusual Directory »