Techniques
Sample rules
Suspicious LNK Double Extension File Created
- source: sigma
- technicques:
- t1036
- t1036.007
Description
Detects the creation of files with an “LNK” as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the “LNK” extension by default.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_recent:
TargetFilename|contains: \AppData\Roaming\Microsoft\Windows\Recent\
filter_optional_office_excel:
Image|endswith: \excel.exe
TargetFilename|contains: \AppData\Roaming\Microsoft\Excel
filter_optional_office_powerpoint:
Image|endswith: \powerpnt.exe
TargetFilename|contains: \AppData\Roaming\Microsoft\PowerPoint
filter_optional_office_recent:
Image|endswith:
- \excel.exe
- \powerpnt.exe
- \winword.exe
TargetFilename|contains: \AppData\Roaming\Microsoft\Office\Recent\
filter_optional_office_word:
Image|endswith: \winword.exe
TargetFilename|contains: \AppData\Roaming\Microsoft\Word
selection:
TargetFilename|contains:
- .doc.
- .docx.
- .jpg.
- .pdf.
- .ppt.
- .pptx.
- .xls.
- .xlsx.
TargetFilename|endswith: .lnk