Processes Running with Unusual Extensions¶
Processes should always be executing with PE extensions, such as .exe
, so any execution from non-PE extensions, such as .gif
are immediately suspicious.
id: | 251c26ff-658b-42d1-a808-bafcd4b52284 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion |
---|---|
techniques: | T1036 Masquerading |
Query¶
process where subtype.create
and wildcard(process_name,
"*.pif" , "*.pdf", "*.docx", "*.doc",
"*.xlsx", "*.xls", "*.pptx", "*.ppt",
"*.txt", "*.rtf", "*.gif", "*.jpg",
"*.png", "*.bmp", "*.vbs", "*.vbe",
"*.bat", "*.js", "*.cmd",
"*.wsh", "*.ps1", "* ",
)