diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml index 46b9ff3fb2f..2c0c31a95a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml @@ -8,9 +8,9 @@ description: Detects suspicious use of an .exe extension after a non-executable references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 -author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems), MalGamy (Nextron Systems) date: 2019-06-26 -modified: 2023-02-28 +modified: 2024-10-01 tags: - attack.initial-access - attack.t1566.001 @@ -29,6 +29,63 @@ detection: - '.rtf.exe' - '.pdf.exe' - '.txt.exe' + - '.jpg.exe' + - '.png.exe' + - '.zip.exe' + - '.rar.exe' + - '.mp4.exe' + - '.mp3.exe' + - '.avi.exe' + - '.mov.exe' + - '.gif.exe' + - '.bmp.exe' + - '.csv.exe' + - '.log.exe' + - '.dll.exe' + - '.bat.exe' + - '.html.exe' + - '.php.exe' + - '.ps1.exe' + - '.vbs.exe' + - '.js.exe' + - '.msi.exe' + - '.iso.exe' + - '.tar.exe' + - '.7z.exe' + - '.apk.exe' + - '.bin.exe' + - '.deb.exe' + - '.rpm.exe' + - '.sys.exe' + - '.svg.exe' + - '.tiff.exe' + - '.ini.exe' + - '.sql.exe' + - '.json.exe' + - '.xml.exe' + - '.dat.exe' + - '.tmp.exe' + - '.bak.exe' + - '.config.exe' + - '.psd.exe' + - '.mkv.exe' + - '.flv.exe' + - '.ogg.exe' + - '.wav.exe' + - '.mid.exe' + - '.ttf.exe' + - '.otf.exe' + - '.epub.exe' + - '.mobi.exe' + - '.md.exe' + - '.md5.exe' + - '.yml.exe' + - '.yaml.exe' + - '.lua.exe' + - '.sh.exe' + - '.cmd.exe' + - '.exe.exe' + - '.dmg.exe' - ' .exe' - '______.exe' - '.doc.js' @@ -50,6 +107,63 @@ detection: - '.rtf.exe' - '.pdf.exe' - '.txt.exe' + - '.jpg.exe' + - '.png.exe' + - '.zip.exe' + - '.rar.exe' + - '.mp4.exe' + - '.mp3.exe' + - '.avi.exe' + - '.mov.exe' + - '.gif.exe' + - '.bmp.exe' + - '.csv.exe' + - '.log.exe' + - '.dll.exe' + - '.bat.exe' + - '.html.exe' + - '.php.exe' + - '.ps1.exe' + - '.vbs.exe' + - '.js.exe' + - '.msi.exe' + - '.iso.exe' + - '.tar.exe' + - '.7z.exe' + - '.apk.exe' + - '.bin.exe' + - '.deb.exe' + - '.rpm.exe' + - '.sys.exe' + - '.svg.exe' + - '.tiff.exe' + - '.ini.exe' + - '.sql.exe' + - '.json.exe' + - '.xml.exe' + - '.dat.exe' + - '.tmp.exe' + - '.bak.exe' + - '.config.exe' + - '.psd.exe' + - '.mkv.exe' + - '.flv.exe' + - '.ogg.exe' + - '.wav.exe' + - '.mid.exe' + - '.ttf.exe' + - '.otf.exe' + - '.epub.exe' + - '.mobi.exe' + - '.md.exe' + - '.md5.exe' + - '.yml.exe' + - '.yaml.exe' + - '.lua.exe' + - '.sh.exe' + - '.cmd.exe' + - '.exe.exe' + - '.dmg.exe' - ' .exe' - '______.exe' - '.doc.js'