IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« File or Directory Deletion Command Finder Sync Plugin Registered and Enabled »

› › ›

File with Suspicious Extension Downloaded

edit

File with Suspicious Extension Downloaded

edit

Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution.

Rule type: eql

Rule indices:

logs-endpoint.events.file-*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Rule Type: BBR

Version: 3

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

file where host.os.type == "windows" and event.type == "creation" and
  file.extension : (
    "appinstaller", "application", "appx", "appxbundle", "cpl", "diagcab", "diagpkg", "diagcfg", "manifest",
    "msix", "pif", "search-ms", "searchConnector-ms", "settingcontent-ms", "symlink", "theme", "themepack"
  ) and file.Ext.windows.zone_identifier > 1 and
  not
  (
    (
      file.extension : "msix" and
      file.path : (
        "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*",
        "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\WinGet\\State\\defaultState\\Microsoft.PreIndexed.Package\\Microsoft.Winget.Source*"
      )
    ) or
    (
      process.name : "Teams.exe" and process.code_signature.trusted == true and
      file.extension : "msix" and
      file.path : "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Teams\\tmp\\*"
    )
  )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/
Sub-technique:
- Name: Spearphishing Attachment
- ID: T1566.001
- Reference URL: https://attack.mitre.org/techniques/T1566/001/
Sub-technique:
- Name: Spearphishing Link
- ID: T1566.002
- Reference URL: https://attack.mitre.org/techniques/T1566/002/

« File or Directory Deletion Command Finder Sync Plugin Registered and Enabled »