<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>File-Extension - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/file-extension/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 04 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/file-extension/feed.xml" rel="self" type="application/rss+xml"/><item><title>Executable File Creation with Multiple Extensions</title><link>https://feed.craftedsignal.io/briefs/2024-01-double-file-extension/</link><pubDate>Thu, 04 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-double-file-extension/</guid><description>This rule detects the creation of executable files with multiple extensions, a masquerading technique used to evade defenses by disguising malicious executables as benign files to trick users into executing them.</description><content:encoded><![CDATA[<p>Adversaries may use masquerading techniques to evade defenses and blend in with the environment. One such technique involves manipulating the file extension of an executable file by appending multiple extensions. This is done to trick a user into executing what appears to be a benign file, such as a document or image, but is actually executable code. This technique, often referred to as &quot;double file extension&quot;, can bypass security measures that rely on file extension filtering. This detection focuses on Windows environments and aims to identify suspicious file creations with misleading extensions, excluding known legitimate processes. The detection leverages file creation events and regular expression matching to identify potentially malicious files.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>User receives a file via email or downloads it from a website. The file has a double extension, such as &quot;document.pdf.exe&quot;.</li>
<li>The user, believing the file to be a PDF document, double-clicks the file to open it.</li>
<li>Windows executes the file, treating it as an executable due to the &quot;.exe&quot; extension.</li>
<li>The executable runs with the privileges of the user who launched it.</li>
<li>The executable may download additional payloads or execute malicious commands.</li>
<li>The malicious code performs actions such as installing malware, stealing credentials, or establishing persistence.</li>
<li>The attacker gains control of the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using this technique can lead to malware infection, data theft, and system compromise. The masquerading technique can bypass standard security measures, making it more likely that unsuspecting users will execute the malicious file. The impact can range from individual workstation compromise to broader network infections, potentially affecting numerous users and systems. This technique can lead to significant disruption of services and financial losses.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Executable File Creation with Multiple Extensions&quot; to your SIEM to detect the creation of files with suspicious double extensions (see rules).</li>
<li>Configure endpoint detection and response (EDR) systems to monitor file creation events and flag files with double extensions for further analysis (see rules).</li>
<li>Educate users about the risks of opening files with unusual or double extensions to prevent them from falling victim to this attack.</li>
<li>Review and harden email filtering policies to block or quarantine emails containing attachments with double extensions.</li>
<li>Implement application control policies to restrict the execution of unauthorized executables in user directories and temporary folders.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>defense-evasion</category><category>masquerading</category><category>file-extension</category><category>windows</category></item></channel></rss>