| ID | Technique | Tactic |
|---|---|---|
| T1036.008 | Masquerade File Type | Defense Evasion |
Detection: Windows Executable Masquerading as Benign File Types
Description
The following analytic detects the presence of executable files masquerading as benign file types on Windows systems. Adversaries employ this technique to evade defenses and trick users into executing malicious code by renaming executables with extensions commonly associated with documents, images, or other non-executable formats (e.g., .pdf, .jpg, .doc, .png).
Search
1`sysmon`
2EventCode=29
3NOT `executable_extensions`
4
5| stats count min(_time) as firstTime max(_time) as lastTime
6 by Image file_name file_path process_guid file_hash process_id dest user EventCode
7
8| `security_content_ctime(firstTime)`
9
10| `security_content_ctime(lastTime)`
11
12| `windows_executable_masquerading_as_benign_file_types_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 29 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| executable_extensions | (TargetFilename IN ("*.exe", "*.dll", "*.sys", "*.ocx", "*.scr", "*.cpl", "*.efi", "*.drv", "*.bpl", "*.ax", "*.ime", "*.acm", "*.rll", "*.tsp")) |
| windows_executable_masquerading_as_benign_file_types_filter | search * |
windows_executable_masquerading_as_benign_file_types_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To implement Sysmon EventCode 29 (File Block Executable), you must ensure that your Sysmon deployment is configured to log instances where executable file creation is blocked based on your organization's FileBlockExecutable rules. Once enabled, the corresponding Splunk search requires Sysmon operational logs and an input macro named sysmon, which should be customized to match your environment-specific index, source, and sourcetype settings for Windows Sysmon data. We strongly recommend replacing this macro with values appropriate to your Splunk environment so the search scopes correctly. The search also uses a post-filter macro designed to filter out known false positives.
Known False Positives
File types that are not included in the filter for this detection may generate false positives, so proper filtering is required.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A valid Windows PE executable $file_name$ located in $file_path$ was dropped on $dest$, disguised as a non-executable file type.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 50 | file_path, Image, file_name |
References
-
https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
-
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
-
https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1