Detect execution of suspicious double extension files in ParentCommandLine
title: Suspicious Parent Double Extension File Execution
id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
related:
- id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine
type: derived
status: test
description: Detect execution of suspicious double extension files in ParentCommandLine
references:
- https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-06
modified: 2023-02-28
tags:
- attack.stealth
- attack.t1036.007
logsource:
category: process_creation
product: windows
detection:
selection:
- ParentImage|endswith:
- '.doc.lnk'
- '.docx.lnk'
- '.xls.lnk'
- '.xlsx.lnk'
- '.ppt.lnk'
- '.pptx.lnk'
- '.rtf.lnk'
- '.pdf.lnk'
- '.txt.lnk'
- '.doc.js'
- '.docx.js'
- '.xls.js'
- '.xlsx.js'
- '.ppt.js'
- '.pptx.js'
- '.rtf.js'
- '.pdf.js'
- '.txt.js'
- ParentCommandLine|contains:
- '.doc.lnk'
- '.docx.lnk'
- '.xls.lnk'
- '.xlsx.lnk'
- '.ppt.lnk'
- '.pptx.lnk'
- '.rtf.lnk'
- '.pdf.lnk'
- '.txt.lnk'
- '.doc.js'
- '.docx.js'
- '.xls.js'
- '.xlsx.js'
- '.ppt.js'
- '.pptx.js'
- '.rtf.js'
- '.pdf.js'
- '.txt.js'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where ((ParentProcessName endswith ".doc.lnk" or ParentProcessName endswith ".docx.lnk" or ParentProcessName endswith ".xls.lnk" or ParentProcessName endswith ".xlsx.lnk" or ParentProcessName endswith ".ppt.lnk" or ParentProcessName endswith ".pptx.lnk" or ParentProcessName endswith ".rtf.lnk" or ParentProcessName endswith ".pdf.lnk" or ParentProcessName endswith ".txt.lnk" or ParentProcessName endswith ".doc.js" or ParentProcessName endswith ".docx.js" or ParentProcessName endswith ".xls.js" or ParentProcessName endswith ".xlsx.js" or ParentProcessName endswith ".ppt.js" or ParentProcessName endswith ".pptx.js" or ParentProcessName endswith ".rtf.js" or ParentProcessName endswith ".pdf.js" or ParentProcessName endswith ".txt.js") or (ActingProcessName endswith ".doc.lnk" or ActingProcessName endswith ".docx.lnk" or ActingProcessName endswith ".xls.lnk" or ActingProcessName endswith ".xlsx.lnk" or ActingProcessName endswith ".ppt.lnk" or ActingProcessName endswith ".pptx.lnk" or ActingProcessName endswith ".rtf.lnk" or ActingProcessName endswith ".pdf.lnk" or ActingProcessName endswith ".txt.lnk" or ActingProcessName endswith ".doc.js" or ActingProcessName endswith ".docx.js" or ActingProcessName endswith ".xls.js" or ActingProcessName endswith ".xlsx.js" or ActingProcessName endswith ".ppt.js" or ActingProcessName endswith ".pptx.js" or ActingProcessName endswith ".rtf.js" or ActingProcessName endswith ".pdf.js" or ActingProcessName endswith ".txt.js")) or (ActingProcessCommandLine contains ".doc.lnk" or ActingProcessCommandLine contains ".docx.lnk" or ActingProcessCommandLine contains ".xls.lnk" or ActingProcessCommandLine contains ".xlsx.lnk" or ActingProcessCommandLine contains ".ppt.lnk" or ActingProcessCommandLine contains ".pptx.lnk" or ActingProcessCommandLine contains ".rtf.lnk" or ActingProcessCommandLine contains ".pdf.lnk" or ActingProcessCommandLine contains ".txt.lnk" or ActingProcessCommandLine contains ".doc.js" or ActingProcessCommandLine contains ".docx.js" or ActingProcessCommandLine contains ".xls.js" or ActingProcessCommandLine contains ".xlsx.js" or ActingProcessCommandLine contains ".ppt.js" or ActingProcessCommandLine contains ".pptx.js" or ActingProcessCommandLine contains ".rtf.js" or ActingProcessCommandLine contains ".pdf.js" or ActingProcessCommandLine contains ".txt.js")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |