Detection rules › Elastic
Archive File with Unusual Extension
Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1036.008 Masquerading: Masquerade File Type |
Rule body elastic
[metadata]
bypass_bbr_timing = true
creation_date = "2023/09/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by
masquerading files using the file extension values used by image, audio, or document file types.
"""
from = "now-9m"
index = ["logs-endpoint.events.file-*"]
language = "eql"
license = "Elastic License v2"
name = "Archive File with Unusual Extension"
risk_score = 21
rule_id = "cffbaf47-9391-4e09-a83c-1f27d7474826"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "windows" and event.action != "deletion" and
/* common archive file headers - Rar, 7z, GZIP, MSCF, XZ, ZIP */
file.Ext.header_bytes : ("52617221*", "377ABCAF271C*", "1F8B*", "4d534346*", "FD377A585A00*", "504B0304*", "504B0708*") and
(
/* common image file extensions */
file.extension : ("jpg", "jpeg", "emf", "tiff", "gif", "png", "bmp", "ico", "fpx", "eps", "inf") or
/* common audio and video file extensions */
file.extension : ("mp3", "wav", "avi", "mpeg", "flv", "wma", "wmv", "mov", "mp4", "3gp") or
/* common document file extensions */
(file.extension : ("doc", "docx", "rtf", "ppt", "pptx", "xls", "xlsx") and
/* exclude ZIP file header values for OPENXML documents */
not file.Ext.header_bytes : ("504B0304*", "504B0708*"))
) and
not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.008"
name = "Masquerade File Type"
reference = "https://attack.mitre.org/techniques/T1036/008/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Stages and Predicates
Stage 1: file
file where host.os.type == "windows" and event.action != "deletion" and
file.Ext.header_bytes : ("52617221*", "377ABCAF271C*", "1F8B*", "4d534346*", "FD377A585A00*", "504B0304*", "504B0708*") and
(
file.extension : ("jpg", "jpeg", "emf", "tiff", "gif", "png", "bmp", "ico", "fpx", "eps", "inf") or
file.extension : ("mp3", "wav", "avi", "mpeg", "flv", "wma", "wmv", "mov", "mp4", "3gp") or
(file.extension : ("doc", "docx", "rtf", "ppt", "pptx", "xls", "xlsx") and
not file.Ext.header_bytes : ("504B0304*", "504B0708*"))
) and
not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*")
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
file.path | starts_with | ?:\inetpub\temp\IIS Temporary Compressed Files\ |
process.executable | eq | ?:\Windows\System32\inetsrv\w3wp.exe |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.action | ne |
|
file.Ext.header_bytes | wildcard |
|
file.extension | wildcard |
|