forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathfile_extension_abuse.yml
More file actions
60 lines (60 loc) · 3.3 KB
/
file_extension_abuse.yml
File metadata and controls
60 lines (60 loc) · 3.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
category:
- Malware
channel: ESCU
creation_date: '2018-01-26'
description: Detect and investigate suspected abuse of file extensions and Windows
file associations. Some of the malicious behaviors involved may include inserting
spaces before file extensions or prepending the file extension with a different
one, among other techniques.
detections:
- detection_id: b06a555e-dce0-417d-a2eb-28a5d8d66ef7
name: Execution of File with Multiple Extensions
type: splunk
- detection_id: ab0353e6-a956-420b-b724-a8b4846d5d5a
name: Execution of File With Spaces Before Extension
type: splunk
- detection_id: 1b989a0e-0129-4446-a695-f193a5b746fc
name: Suspicious Changes to File Associations
type: splunk
id: 30552a76-ac78-48e4-b3c0-de4e34e9563d
maintainers:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
modification_date: '2018-01-26'
name: Windows File Extension and Association Abuse
narrative: "Attackers use a variety of techniques to entice users to run malicious\
\ code or to persist on an endpoint. One way to accomplish these goals is to leverage\
\ file extensions and the mechanism Windows uses to associate files with specific\
\ applications. \\\n Since its earliest days, Windows has used extensions to identify\
\ file types. Users have become familiar with these extensions and their application\
\ associations. For example, if users see that a file ends in `.doc` or `.docx`,\
\ they will assume that it is a Microsoft Word document and expect that double-clicking\
\ will open it using `winword.exe`. The user will typically also presume that the\
\ `.docx` file is safe. \\\n Attackers take advantage of this expectation by obfuscating\
\ the true file extension. They can accomplish this in a couple of ways. One technique\
\ involves inserting multiple spaces in the file name before the extension to hide\
\ the extension from the GUI, obscuring the true nature of the file. Another approach\
\ involves prepending the real extension with a different one. This is especially\
\ effective when Windows is configured to \"hide extensions for known file types.\"\
\ In this case, the real extension is not displayed, but the prepended one is, leading\
\ end users to believe the file is a different type than it actually is.\\\nChanging\
\ the association between a file extension and an application can allow an attacker\
\ to execute arbitrary code. The technique typically involves changing the association\
\ for an often-launched file type to associate instead with a malicious program\
\ the attacker has dropped on the endpoint. When the end user launches a file that\
\ has been manipulated in this way, it will execute the attacker's malware. It will\
\ also execute the application the end user expected to run, cleverly obscuring\
\ the fact that something suspicious has occurred.\\\nRun the searches in this story\
\ to detect and investigate suspicious behavior that may indicate abuse or manipulation\
\ of Windows file extensions and/or associations."
original_authors:
- company: Splunk
email: rvaldez@splunk.com
name: Rico Valdez
references:
- https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/
- https://attack.mitre.org/wiki/Technique/T1042
spec_version: 2
usecase: Advanced Threat Detection
version: '1.0'