{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-extension/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","masquerading","file-extension","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries may use masquerading techniques to evade defenses and blend in with the environment. One such technique involves manipulating the file extension of an executable file by appending multiple extensions. This is done to trick a user into executing what appears to be a benign file, such as a document or image, but is actually executable code. This technique, often referred to as \u0026quot;double file extension\u0026quot;, can bypass security measures that rely on file extension filtering. This detection focuses on Windows environments and aims to identify suspicious file creations with misleading extensions, excluding known legitimate processes. The detection leverages file creation events and regular expression matching to identify potentially malicious files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser receives a file via email or downloads it from a website. The file has a double extension, such as \u0026quot;document.pdf.exe\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe user, believing the file to be a PDF document, double-clicks the file to open it.\u003c/li\u003e\n\u003cli\u003eWindows executes the file, treating it as an executable due to the \u0026quot;.exe\u0026quot; extension.\u003c/li\u003e\n\u003cli\u003eThe executable runs with the privileges of the user who launched it.\u003c/li\u003e\n\u003cli\u003eThe executable may download additional payloads or execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as installing malware, stealing credentials, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to malware infection, data theft, and system compromise. The masquerading technique can bypass standard security measures, making it more likely that unsuspecting users will execute the malicious file. The impact can range from individual workstation compromise to broader network infections, potentially affecting numerous users and systems. This technique can lead to significant disruption of services and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Executable File Creation with Multiple Extensions\u0026quot; to your SIEM to detect the creation of files with suspicious double extensions (see rules).\u003c/li\u003e\n\u003cli\u003eConfigure endpoint detection and response (EDR) systems to monitor file creation events and flag files with double extensions for further analysis (see rules).\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening files with unusual or double extensions to prevent them from falling victim to this attack.\u003c/li\u003e\n\u003cli\u003eReview and harden email filtering policies to block or quarantine emails containing attachments with double extensions.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized executables in user directories and temporary folders.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T10:00:00Z","date_published":"2024-01-04T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-double-file-extension/","summary":"This rule detects the creation of executable files with multiple extensions, a masquerading technique used to evade defenses by disguising malicious executables as benign files to trick users into executing them.","title":"Executable File Creation with Multiple Extensions","url":"https://feed.craftedsignal.io/briefs/2024-01-double-file-extension/"}],"language":"en","title":"CraftedSignal Threat Feed - File-Extension","version":"https://jsonfeed.org/version/1.1"}