← Back to Explore
sigmahighHunting
Suspicious Double Extension Files
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
Detection Query
selection_gen:
TargetFilename|endswith:
- .exe
- .iso
- .rar
- .svg
- .zip
TargetFilename|contains:
- .doc.
- .docx.
- .gif.
- .jpeg.
- .jpg.
- .mp3.
- .mp4.
- .pdf.
- .png.
- .ppt.
- .pptx.
- .rtf.
- .svg.
- .txt.
- .xls.
- .xlsx.
selection_exe:
TargetFilename|endswith:
- .rar.exe
- .zip.exe
filter_icons_linux:
TargetFilename|startswith: /usr/share/icons/
condition: 1 of selection_* and not 1 of filter_*
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Created
2022-06-19
Data Sources
windowsFile Events
Platforms
windows
References
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
- https://twitter.com/malwrhunterteam/status/1235135745611960321
- https://twitter.com/luc4m/status/1073181154126254080
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
Tags
attack.defense-evasionattack.t1036.007
Raw Content
title: Suspicious Double Extension Files
id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
related:
- id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
type: derived
- id: 3215aa19-f060-4332-86d5-5602511f3ca8
type: similar
status: test
description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
references:
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
- https://twitter.com/malwrhunterteam/status/1235135745611960321
- https://twitter.com/luc4m/status/1073181154126254080
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-06-19
modified: 2026-03-31
tags:
- attack.defense-evasion
- attack.t1036.007
logsource:
category: file_event
product: windows
detection:
selection_gen:
TargetFilename|endswith:
- '.exe'
- '.iso'
- '.rar'
- '.svg'
- '.zip'
# - '.lnk' # legitimate links can happen just anywhere
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.gif.'
- '.jpeg.'
- '.jpg.'
- '.mp3.'
- '.mp4.'
- '.pdf.'
- '.png.'
- '.ppt.'
- '.pptx.'
- '.rtf.'
- '.svg.'
- '.txt.'
- '.xls.'
- '.xlsx.'
selection_exe:
TargetFilename|endswith:
- '.rar.exe'
- '.zip.exe'
# Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations
# filter_main_lnk:
# TargetFilename|contains:
# - '\AppData\Roaming\Microsoft\Office\Recent\'
# - '\AppData\Roaming\Microsoft\Windows\Recent\'
filter_icons_linux:
TargetFilename|startswith: '/usr/share/icons/'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unlikely
level: high