You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies. This analytic triggers when a user attempts to downloads a file from the web that has two extensions. To decrease false positives, it triggers when the first extension is harmless and the second may be harmful.
This Splunk search will looks for files that are downloaded from web that has two extensions.
index=proxy_logs sourcetype="your_sourcetype" http_method=GET http_content_type=application/octet-stream | search "*.pdf.exe" OR "*.pdf.scr" OR "*.pdf.bat" OR "*.pdf.cmd" OR "*.pdf.vbs" OR "*.pdf.js" OR "*.pdf.lnk" OR "*.pdf.msi" OR "*.pdf.pif" OR "*.jpg.exe" OR "*.jpg.scr" OR "*.jpg.bat" OR "*.jpg.cmd" OR "*.jpg.vbs" OR "*.jpg.js" OR "*.jpg.lnk" OR "*.jpg.msi" OR "*.jpg.pif" OR "*.png.exe" OR "*.png.scr" OR "*.png.bat" OR "*.png.cmd" OR "*.png.vbs" OR "*.png.js" OR "*.png.lnk" OR "*.png.msi" OR "*.png.pif" OR "*.txt.exe" OR "*.txt.scr" OR "*.txt.bat" OR "*.txt.cmd" OR "*.txt.vbs" OR "*.txt.js" OR "*.txt.lnk" OR "*.txt.msi" OR "*.txt.pif" OR "*.docx.exe" OR "*.docx.scr" OR "*.docx.bat" OR "*.docx.cmd" OR "*.docx.vbs" OR "*.docx.js" OR "*.docx.lnk" OR "*.docx.msi" OR "*.docx.pif" OR "*.xlsx.exe" OR "*.xlsx.scr" OR "*.xlsx.bat" OR "*.xlsx.cmd" OR "*.xlsx.vbs" OR "*.xlsx.js" OR "*.xlsx.lnk" OR "*.xlsx.msi" OR "*.xlsx.pif" OR "*.pptx.exe" OR "*.pptx.scr" OR "*.pptx.bat" OR "*.pptx.cmd" OR "*.pptx.vbs" OR "*.pptx.js" OR "*.pptx.lnk" OR "*.pptx.msi" OR "*.pptx.pif" OR "*.csv.exe" OR "*.csv.scr" OR "*.csv.bat" OR "*.csv.cmd" OR "*.csv.vbs" OR "*.csv.js" OR "*.csv.lnk" OR "*.csv.msi" OR "*.csv.pif"
Double File Extension
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies. This analytic triggers when a user attempts to downloads a file from the web that has two extensions. To decrease false positives, it triggers when the first extension is harmless and the second may be harmful.
ATT&CK Coverage
Splunk Search - Double File Extension
This Splunk search will looks for files that are downloaded from web that has two extensions.
Data Model Mappings
Öykü Zeynep KOCA
The text was updated successfully, but these errors were encountered: