← Library
splApache-2.0from splunk/security_content

Windows Executable Masquerading as Benign File Types

The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables with extensions commonly associated with documents, images, or other non-executable formats (e.g., .pdf, .jpg, .doc, .png).

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_executable_masquerading_as_benign_file_types.yml
`sysmon`
EventCode=29
NOT `executable_extensions`
| stats count min(_time) as firstTime max(_time) as lastTime
  by Image file_name file_path process_guid file_hash process_id dest user EventCode
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_executable_masquerading_as_benign_file_types_filter`