EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious Appended Extension

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.

MITRE ATT&CK

T1486
impact

Detection Query

selection:
  SourceFilename|endswith:
    - .doc
    - .docx
    - .jpeg
    - .jpg
    - .lnk
    - .pdf
    - .png
    - .pst
    - .rtf
    - .xls
    - .xlsx
  TargetFilename|contains:
    - .doc.
    - .docx.
    - .jpeg.
    - .jpg.
    - .lnk.
    - .pdf.
    - .png.
    - .pst.
    - .rtf.
    - .xls.
    - .xlsx.
filter_main_generic:
  TargetFilename|endswith:
    - .backup
    - .bak
    - .old
    - .orig
    - .temp
    - .tmp
filter_optional_anaconda:
  TargetFilename|contains: :\ProgramData\Anaconda3\
  TargetFilename|endswith: .c~
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

frack113

Created

2022-07-16

Data Sources

windowsfile_rename

Platforms

windows

References

Tags

attack.impactattack.t1486
Raw Content
title: Suspicious Appended Extension
id: e3f673b3-65d1-4d80-9146-466f8b63fa99
status: test
description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
references:
    - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
    - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
author: frack113
date: 2022-07-16
modified: 2023-11-11
tags:
    - attack.impact
    - attack.t1486
logsource:
    product: windows
    category: file_rename
    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
detection:
    selection:
        SourceFilename|endswith:
            - '.doc'
            - '.docx'
            - '.jpeg'
            - '.jpg'
            - '.lnk'
            - '.pdf'
            - '.png'
            - '.pst'
            - '.rtf'
            - '.xls'
            - '.xlsx'
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.jpeg.'
            - '.jpg.'
            - '.lnk.'
            - '.pdf.'
            - '.png.'
            - '.pst.'
            - '.rtf.'
            - '.xls.'
            - '.xlsx.'
    filter_main_generic:
        TargetFilename|endswith:
            # Note: Please add more used extensions by backup or recovery software
            - '.backup'
            - '.bak'
            - '.old'
            - '.orig'
            - '.temp'
            - '.tmp'
    filter_optional_anaconda:
        TargetFilename|contains: ':\ProgramData\Anaconda3\'
        TargetFilename|endswith: '.c~'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Backup software
level: medium