Detection rules › Sigma
Execution of Suspicious File Type Extension
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
title: Execution of Suspicious File Type Extension
id: c09dad97-1c78-4f71-b127-7edb2b8e491a
status: test
description: |
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
This rule might require some initial baselining to align with some third party tooling in the user environment.
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
author: Max Altgelt (Nextron Systems)
date: 2021-12-09
modified: 2023-11-23
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
known_image_extension:
Image|endswith:
- '.bin'
- '.cgi'
- '.com'
- '.exe'
- '.scr'
- '.tmp' # sadly many installers use this extension
filter_main_image: # Windows utilities without extension
Image:
- 'System'
- 'Registry'
- 'MemCompression'
- 'vmmem'
filter_main_msi_installers:
Image|contains: ':\Windows\Installer\MSI'
filter_main_driver_store:
Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
filter_main_msi_rollbackfiles:
Image|contains: ':\Config.Msi\'
Image|endswith:
- '.rbf'
- '.rbs'
filter_main_windows_temp:
- ParentImage|contains: ':\Windows\Temp\'
- Image|contains: ':\Windows\Temp\'
filter_main_deleted:
Image|contains: ':\$Extend\$Deleted\'
filter_main_empty:
Image:
- '-'
- ''
filter_main_null:
Image: null
filter_optional_avira:
ParentImage|contains: ':\ProgramData\Avira\'
filter_optional_nvidia:
Image|contains: 'NVIDIA\NvBackend\'
Image|endswith: '.dat'
filter_optional_winpakpro:
Image|contains:
- ':\Program Files (x86)\WINPAKPRO\'
- ':\Program Files\WINPAKPRO\'
Image|endswith: '.ngn'
filter_optional_myq_server:
Image|endswith:
- ':\Program Files (x86)\MyQ\Server\pcltool.dll'
- ':\Program Files\MyQ\Server\pcltool.dll'
filter_optional_wsl:
Image|contains|all:
- '\AppData\Local\Packages\'
- '\LocalState\rootfs\'
filter_optional_lzma_exe:
Image|endswith: '\LZMA_EXE'
filter_optional_firefox:
Image|contains: ':\Program Files\Mozilla Firefox\'
filter_optional_docker:
ParentImage: 'C:\Windows\System32\services.exe'
Image|endswith: 'com.docker.service'
condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Stages and Predicates
Stage 0: condition
not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*Stage 1: not known_image_extension
known_image_extension:
Image|endswith:
- '.bin'
- '.cgi'
- '.com'
- '.exe'
- '.scr'
- '.tmp' # sadly many installers use this extension
Stage 2: not filter_main_*
filter_main_image: # Windows utilities without extension
Image:
- 'System'
- 'Registry'
- 'MemCompression'
- 'vmmem'
filter_main_msi_installers:
Image|contains: ':\Windows\Installer\MSI'
filter_main_driver_store:
Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
filter_main_msi_rollbackfiles:
Image|contains: ':\Config.Msi\'
Image|endswith:
- '.rbf'
- '.rbs'
filter_main_windows_temp:
- ParentImage|contains: ':\Windows\Temp\'
- Image|contains: ':\Windows\Temp\'
filter_main_deleted:
Image|contains: ':\$Extend\$Deleted\'
filter_main_empty:
Image:
- '-'
- ''
filter_main_null:
Image: null
Stage 3: not filter_optional_*
filter_optional_avira:
ParentImage|contains: ':\ProgramData\Avira\'
filter_optional_nvidia:
Image|contains: 'NVIDIA\NvBackend\'
Image|endswith: '.dat'
filter_optional_winpakpro:
Image|contains:
- ':\Program Files (x86)\WINPAKPRO\'
- ':\Program Files\WINPAKPRO\'
Image|endswith: '.ngn'
filter_optional_myq_server:
Image|endswith:
- ':\Program Files (x86)\MyQ\Server\pcltool.dll'
- ':\Program Files\MyQ\Server\pcltool.dll'
filter_optional_wsl:
Image|contains|all:
- '\AppData\Local\Packages\'
- '\LocalState\rootfs\'
filter_optional_lzma_exe:
Image|endswith: '\LZMA_EXE'
filter_optional_firefox:
Image|contains: ':\Program Files\Mozilla Firefox\'
filter_optional_docker:
ParentImage: 'C:\Windows\System32\services.exe'
Image|endswith: 'com.docker.service'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | Image | ends_with | .bin |
| 1 | Image | ends_with | .cgi |
| 1 | Image | ends_with | .com |
| 1 | Image | ends_with | .exe |
| 1 | Image | ends_with | .scr |
| 1 | Image | ends_with | .tmp |
| 2 | Image | ends_with | .rbf |
| 2 | Image | ends_with | .rbs |
| 2 | Image | match | :\Config.Msi\ |
| 2 | Image | eq | - |
| 2 | Image | eq | MemCompression |
| 2 | Image | eq | Registry |
| 2 | Image | eq | System |
| 2 | Image | eq | vmmem |
| 2 | Image | is_null | |
| 2 | Image | match | :\$Extend\$Deleted\ |
| 2 | Image | match | :\Windows\Installer\MSI |
| 2 | Image | match | :\Windows\System32\DriverStore\FileRepository\ |
| 2 | Image | match | :\Windows\Temp\ |
| 2 | ParentImage | match | :\Windows\Temp\ |
| 3 | Image | match | :\Program Files (x86)\WINPAKPRO\ |
| 3 | Image | match | :\Program Files\WINPAKPRO\ |
| 3 | Image | ends_with | .ngn |
| 3 | Image | ends_with | .dat |
| 3 | Image | match | NVIDIA\NvBackend\ |
| 3 | Image | ends_with | com.docker.service |
| 3 | ParentImage | eq | C:\Windows\System32\services.exe |
| 3 | Image | match | \AppData\Local\Packages\ |
| 3 | Image | match | \LocalState\rootfs\ |
| 3 | Image | ends_with | :\Program Files (x86)\MyQ\Server\pcltool.dll |
| 3 | Image | ends_with | :\Program Files\MyQ\Server\pcltool.dll |
| 3 | Image | ends_with | \LZMA_EXE |
| 3 | Image | match | :\Program Files\Mozilla Firefox\ |
| 3 | ParentImage | match | :\ProgramData\Avira\ |