← Back to Explore
sigmamediumHunting
Suspicious LNK Double Extension File Created
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
Detection Query
selection:
TargetFilename|endswith: .lnk
TargetFilename|contains:
- .doc.
- .docx.
- .jpg.
- .pdf.
- .ppt.
- .pptx.
- .xls.
- .xlsx.
filter_main_recent:
TargetFilename|contains: \AppData\Roaming\Microsoft\Windows\Recent\
filter_optional_office_recent:
Image|endswith:
- \excel.exe
- \powerpnt.exe
- \winword.exe
TargetFilename|contains: \AppData\Roaming\Microsoft\Office\Recent\
filter_optional_office_excel:
Image|endswith: \excel.exe
TargetFilename|contains: \AppData\Roaming\Microsoft\Excel
filter_optional_office_powerpoint:
Image|endswith: \powerpnt.exe
TargetFilename|contains: \AppData\Roaming\Microsoft\PowerPoint
filter_optional_office_word:
Image|endswith: \winword.exe
TargetFilename|contains: \AppData\Roaming\Microsoft\Word
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Created
2022-11-07
Data Sources
windowsFile Events
Platforms
windows
References
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
- https://twitter.com/malwrhunterteam/status/1235135745611960321
- https://twitter.com/luc4m/status/1073181154126254080
Tags
attack.defense-evasionattack.t1036.007
Raw Content
title: Suspicious LNK Double Extension File Created
id: 3215aa19-f060-4332-86d5-5602511f3ca8
related:
- id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
type: derived
status: test
description: |
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
references:
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
- https://twitter.com/malwrhunterteam/status/1235135745611960321
- https://twitter.com/luc4m/status/1073181154126254080
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-11-07
modified: 2023-10-18
tags:
- attack.defense-evasion
- attack.t1036.007
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '.lnk'
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.jpg.'
- '.pdf.'
- '.ppt.'
- '.pptx.'
- '.xls.'
- '.xlsx.'
filter_main_recent:
TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
filter_optional_office_recent:
Image|endswith:
# Note: Some additional office application might need to be added
- '\excel.exe'
- '\powerpnt.exe'
- '\winword.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
filter_optional_office_excel:
Image|endswith: '\excel.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
filter_optional_office_powerpoint:
Image|endswith: '\powerpnt.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
filter_optional_office_word:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some tuning is required for other general purpose directories of third party apps
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml