File with Suspicious Extension Downloaded

edit

Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Data Source: Elastic Defend
  • Rule Type: BBR

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file where host.os.type == "windows" and event.type == "creation" and
  file.extension : (
    "appinstaller", "application", "appx", "appxbundle", "cpl", "diagcab", "diagpkg", "diagcfg", "manifest",
    "msix", "pif", "search-ms", "searchConnector-ms", "settingcontent-ms", "symlink", "theme", "themepack"
  ) and file.Ext.windows.zone_identifier > 1 and
  not
  (
    file.extension : "msix" and
    file.path : (
      "?:\\Users\\*\\AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source*",
      "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\WinGet\\State\\defaultState\\Microsoft.PreIndexed.Package\\Microsoft.Winget.Source*"
    )
  )

Framework: MITRE ATT&CKTM