sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Update Suspicious Double Extension File Execution Rules

Open MalGamy12 opened this issue 1 year ago • 2 comments

Summary of the Pull Request

update susp double extension rule

Changelog

update: Suspicious Process Execution Masquerading as Legitimate Files - Add new values to detection values

Example Log Event

RuleName: -
UtcTime: 2024-10-01 10:08:06.418
ProcessGuid: {6e6be129-ca06-66fb-4501-000000001700}
ProcessId: 3204
Image: C:\Users\MalGamy\Desktop\detection\file.dat.exe
FileVersion: Release 0.81
Description: Command-line SCP/SFTP client
Product: PuTTY suite
Company: Simon Tatham
OriginalFileName: PSCP
CommandLine: "C:\Users\MalGamy\Desktop\detection\file.dat.exe" 
CurrentDirectory: C:\Users\MalGamy\Desktop\detection\
User: DESKTOP-0TOC207\MalGamy
LogonGuid: {6e6be129-c82d-66fb-1478-090000000000}
LogonId: 0x97814
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=D056BBAFB3E69EFC93D659DE9E9666C453C19F59FE3FED0B53E6B051BFB9866A
ParentProcessGuid: {6e6be129-c832-66fb-9c00-000000001700}
ParentProcessId: 5124
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\Windows\Explorer.EXE
ParentUser: DESKTOP-0TOC207\MalGamy```

### Fixed Issues

NA

MalGamy12 avatar Oct 01 '24 13:10 MalGamy12

5e6a80c8-2d45-4633-9ef4-fa2671a39c5c should be updated too , isn't it ?

frack113 avatar Oct 02 '24 04:10 frack113

I did some tests. Yes, we need to update it, so i will update the rule sysmon example:

image

MalGamy12 avatar Oct 02 '24 08:10 MalGamy12