Techniques
Sample rules
Suspicious Appended Extension
- source: sigma
- technicques:
- t1486
Description
Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as “.jpg.crypted”, “.docx.locky”, etc.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
TargetFilename|endswith:
- .backup
- .bak
- .old
- .orig
- .temp
- .tmp
filter_optional_anaconda:
TargetFilename|contains: :\ProgramData\Anaconda3\
TargetFilename|endswith: .c~
selection:
SourceFilename|endswith:
- .doc
- .docx
- .jpeg
- .jpg
- .lnk
- .pdf
- .png
- .pst
- .rtf
- .xls
- .xlsx
TargetFilename|contains:
- .doc.
- .docx.
- .jpeg.
- .jpg.
- .lnk.
- .pdf.
- .png.
- .pst.
- .rtf.
- .xls.
- .xlsx.
Access To Crypto Currency Wallets By Uncommon Applications
- source: sigma
- technicques:
- t1003
Description
Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\Windows\system32\
- C:\Windows\SysWOW64\
filter_main_system:
Image: System
filter_optional_defender:
Image|endswith:
- \MpCopyAccelerator.exe
- \MsMpEng.exe
Image|startswith: C:\ProgramData\Microsoft\Windows Defender\
selection:
- FileName|contains:
- \AppData\Roaming\Ethereum\keystore\
- \AppData\Roaming\EthereumClassic\keystore\
- \AppData\Roaming\monero\wallets\
- FileName|endswith:
- \AppData\Roaming\Bitcoin\wallet.dat
- \AppData\Roaming\BitcoinABC\wallet.dat
- \AppData\Roaming\BitcoinSV\wallet.dat
- \AppData\Roaming\DashCore\wallet.dat
- \AppData\Roaming\DogeCoin\wallet.dat
- \AppData\Roaming\Litecoin\wallet.dat
- \AppData\Roaming\Ripple\wallet.dat
- \AppData\Roaming\Zcash\wallet.dat