Processes Running with Unusual Extensions

Processes should always be executing with PE extensions, such as .exe, so any execution from non-PE extensions, such as .gif are immediately suspicious.

id:251c26ff-658b-42d1-a808-bafcd4b52284 categories:detect confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Defense Evasion techniques:T1036 Masquerading

Query

process where subtype.create
  and wildcard(process_name,
               "*.pif" ,  "*.pdf",    "*.docx",   "*.doc",
               "*.xlsx",  "*.xls",    "*.pptx",   "*.ppt",
               "*.txt",   "*.rtf",    "*.gif",    "*.jpg",
               "*.png",   "*.bmp",    "*.vbs",    "*.vbe",
               "*.bat",   "*.js",     "*.cmd",
               "*.wsh",   "*.ps1",    "* ",
              )

Contributors

• Endgame