Execution of Suspicious File Type Extension

Severity: medium
Author: Max Altgelt (Nextron Systems)
Source: upstream

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `not known_image_extension`

or:
Image|endswith: .bin
Image|endswith: .cgi
Image|endswith: .com
Image|endswith: .exe
Image|endswith: .scr
Image|endswith: .tmp

Stage 2: `not 1 of filter_main_*`

or:
or:
Image|endswith: .rbf
Image|endswith: .rbs
Image|contains: ':\Config.Msi\'
Image: ''
Image: -
Image: MemCompression
Image: Registry
Image: System
Image: vmmem
Image: null
Image|contains: ':\$Extend\$Deleted\'
Image|contains: ':\Windows\Installer\MSI'
Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
Image|contains: ':\Windows\Temp\'
ParentImage|contains: ':\Windows\Temp\'

Stage 3: `not 1 of filter_optional_*`

or:
or:
Image|contains: ':\Program Files (x86)\WINPAKPRO\'
Image|contains: ':\Program Files\WINPAKPRO\'
Image|endswith: .ngn
Image|endswith: .dat
Image|contains: 'NVIDIA\NvBackend\'
Image|endswith: com.docker.service
ParentImage: 'C:\Windows\System32\services.exe'
Image|contains: '\AppData\Local\Packages\'
Image|contains: '\LocalState\rootfs\'
Image|endswith: ':\Program Files (x86)\MyQ\Server\pcltool.dll'
Image|endswith: ':\Program Files\MyQ\Server\pcltool.dll'
Image|endswith: '\LZMA_EXE'
Image|contains: ':\Program Files\Mozilla Firefox\'
ParentImage|contains: ':\ProgramData\Avira\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`.bin` `.cgi` `.com` `.dat` `.exe` corpus 4 (sigma 4) `.ngn` `.rbf` `.rbs` `.scr` `.tmp` corpus 2 (sigma 2) `:\Program Files (x86)\MyQ\Server\pcltool.dll` `:\Program Files\MyQ\Server\pcltool.dll` `\LZMA_EXE` `com.docker.service`
`Image`	eq	`-` corpus 2 (sigma 2) `MemCompression` corpus 2 (sigma 2) `Registry` corpus 3 (sigma 3) `System` corpus 8 (sigma 8) `vmmem` corpus 2 (sigma 2)
`Image`	match	`:\$Extend\$Deleted\` `:\Config.Msi\` `:\Program Files (x86)\WINPAKPRO\` `:\Program Files\Mozilla Firefox\` `:\Program Files\WINPAKPRO\` `:\Windows\Installer\MSI` `:\Windows\System32\DriverStore\FileRepository\` `:\Windows\Temp\` corpus 9 (sigma 9) `NVIDIA\NvBackend\` `\AppData\Local\Packages\` `\LocalState\rootfs\`
`ParentImage`	eq	`C:\Windows\System32\services.exe` corpus 2 (sigma 2)
`ParentImage`	match	`:\ProgramData\Avira\` `:\Windows\Temp\` corpus 4 (sigma 4)