Techniques
Sample rules
Suspicious Appended Extension
- source: sigma
- technicques:
- t1486
Description
Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as “.jpg.crypted”, “.docx.locky”, etc.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
TargetFilename|endswith:
- .backup
- .bak
- .old
- .orig
- .temp
- .tmp
filter_optional_anaconda:
TargetFilename|contains: :\ProgramData\Anaconda3\
TargetFilename|endswith: .c~
selection:
SourceFilename|endswith:
- .doc
- .docx
- .jpeg
- .jpg
- .lnk
- .pdf
- .png
- .pst
- .rtf
- .xls
- .xlsx
TargetFilename|contains:
- .doc.
- .docx.
- .jpeg.
- .jpg.
- .lnk.
- .pdf.
- .png.
- .pst.
- .rtf.
- .xls.
- .xlsx.
Access To Windows Outlook Mail Files By Uncommon Application
- source: sigma
- technicques:
- t1070
- t1070.008
Description
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Detection logic
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\system32\
- :\Windows\SysWOW64\
filter_main_system:
Image: System
filter_optional_defender:
Image|contains: :\ProgramData\Microsoft\Windows Defender\
Image|endswith:
- \MpCopyAccelerator.exe
- \MsMpEng.exe
filter_optional_thor:
Image|endswith:
- \thor64.exe
- \thor.exe
selection_unistore:
FileName|contains: \AppData\Local\Comms\Unistore\data
selection_unistoredb:
FileName|endswith: \AppData\Local\Comms\UnistoreDB\store.vol
Access To Browser Credential Files By Uncommon Application
- source: sigma
- technicques:
- t1003
Description
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Detection logic
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
Image|contains:
- :\Program Files (x86)\
- :\Program Files\
- :\Windows\system32\
- :\Windows\SysWOW64\
filter_main_system:
Image: System
filter_optional_defender:
Image|contains: :\ProgramData\Microsoft\Windows Defender\
Image|endswith:
- \MpCopyAccelerator.exe
- \MsMpEng.exe
filter_optional_thor:
Image|endswith:
- \thor64.exe
- \thor.exe
selection_chromium:
FileName|contains:
- \Appdata\Local\Chrome\User Data\Default\Login Data
- \AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
- \AppData\Local\Google\Chrome\User Data\Local State
selection_firefox:
FileName|endswith:
- \cookies.sqlite
- release\key3.db
- release\key4.db
- release\logins.json
selection_ie:
FileName|endswith: \Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat