Detects adversary behavior where a file with a benign-looking first extension (e.g., .txt, .jpg) ends with a dangerous second extension (e.g., .exe, .scr), and is subsequently executed. The behavior chain includes file creation with misleading naming and user or system-initiated process execution from the disguised file.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| benign_extensions | List of extensions typically used to masquerade malicious files (.txt, .jpg, .doc, .pdf) |
| dangerous_extensions | List of true executable extensions that may be abused (.exe, .scr, .hta, .lnk) |
| monitored_paths | Specific directories to focus on (e.g., Downloads folder, %TEMP%, Desktop) |
| TimeWindow | Duration between file creation and process execution to correlate activity |
| UserContext | Whether the behavior occurs in a standard user session or elevated context |