sigmaDRL-1.1from SigmaHQ/sigma
Suspicious Appended Extension
Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
Quality
84
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/file/file_rename/file_rename_win_ransomware.yml
title: Suspicious Appended Extension
id: e3f673b3-65d1-4d80-9146-466f8b63fa99
status: test
description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
references:
- https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
- https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
author: frack113
date: 2022-07-16
modified: 2023-11-11
tags:
- attack.impact
- attack.t1486
logsource:
product: windows
category: file_rename
definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
detection:
selection:
SourceFilename|endswith:
- '.doc'
- '.docx'
- '.jpeg'
- '.jpg'
- '.lnk'
- '.pdf'
- '.png'
- '.pst'
- '.rtf'
- '.xls'
- '.xlsx'
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.jpeg.'
- '.jpg.'
- '.lnk.'
- '.pdf.'
- '.png.'
- '.pst.'
- '.rtf.'
- '.xls.'
- '.xlsx.'
filter_main_generic:
TargetFilename|endswith:
# Note: Please add more used extensions by backup or recovery software
- '.backup'
- '.bak'
- '.old'
- '.orig'
- '.temp'
- '.tmp'
filter_optional_anaconda:
TargetFilename|contains: ':\ProgramData\Anaconda3\'
TargetFilename|endswith: '.c~'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Backup software
level: medium