Misleading extensions Xls.exe Doc.exe Pdf.exe
I get something out of twitter almost every day and it is not uncommon to see examples a few times before the realization sinks in that you are looking at a technique that needs a rule. These should fall under the ATT&CK framework as masquerading.
I saw a tweet the other day that reminded me of a couple of signatures worth talking about. These misleading double extensions are not new but they never seem to go out of style. With modern EDRs it is an easy win.
The malware filename ended in .xls.exe but lets expand that to include other office file types.
The sig is largely self explanatory, the tokenization allows for keyword search by breaking up the extension, and the process path stuff just anchors it all to the process name since these are pretty generic terms.
Another tweet by blackorbird shows a filename with a bunch of leading underscores "_____.exe" and lets expand that to include spaces.
Searching for Sigma rules on Neo23x0 I found a related example looking for filenames in a Rar file with Pdf and then a script extension. I am sure he has these other variants somewhere as well.
References:
https://twitter.com/blackorbird/status/1140519090961825792
https://twitter.com/blackorbird/status/1098170487773921281
https://github.com/Neo23x0/sigma gen_suspicious_strings.yar
https://attack.mitre.org/techniques/T1036/
Comments
Post a Comment