Executable File Creation with Multiple Extensions

Adversaries may use masquerading techniques to evade defenses and blend into the environment by manipulating the name or location of a file, tricking users into executing malicious code disguised as a benign file type. This rule detects the creation of executable files with multiple extensions, a common method of masquerading. The rule focuses on identifying suspicious file creations that use misleading extensions, specifically targeting files with an “.exe” extension preceded by common benign extensions. It excludes known legitimate processes to minimize false positives. This activity is relevant for defenders to identify potential threats where adversaries attempt to bypass security measures by disguising malicious files.

Attack Chain

1. An attacker crafts a malicious executable file with a double extension (e.g., “document.pdf.exe”).
2. The attacker delivers the malicious file to the target system via phishing or other means.
3. The user downloads or receives the file and attempts to open it.
4. Windows displays the file with the first extension (“document.pdf”) by default, misleading the user.
5. Upon execution, Windows recognizes the “.exe” extension and executes the file.
6. The malicious executable runs, potentially deploying malware or performing other unauthorized actions.
7. The malware establishes persistence or attempts lateral movement within the network.
8. The attacker achieves their objective, such as data theft or system compromise.

Impact

Successful exploitation can lead to malware infection, data breaches, and system compromise. This technique bypasses common file type restrictions and user awareness, potentially affecting a wide range of users and systems. While the number of victims is not specified, the impact can be significant, particularly in organizations where users handle sensitive data. The affected sectors are broad, encompassing any organization where users are susceptible to social engineering attacks.

Recommendation

• Deploy the Sigma rule “Executable File Creation with Multiple Extensions” to your SIEM and tune for your environment to detect the creation of suspicious files with multiple extensions.
• Enable Sysmon Event ID 11 (File Create) for comprehensive file creation monitoring to improve the effectiveness of the detection rule.
• Implement enhanced monitoring and logging for similar file creation activities to improve detection and response capabilities.
• Educate users on the risks associated with double file extensions and encourage caution when opening attachments from unknown sources.
• Review and whitelist legitimate software installations that may create executables with multiple extensions to reduce false positives, as described in the rule’s triage notes.