From 4f6d433c2d69e233bbd198cfcbc7fb3dfc5e3374 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Thu, 13 Jan 2022 21:09:26 +0000
Subject: [PATCH] Detects executable running with non executable extension,
 used for av bypass

---
 .../win_run_executable_invalid_extension.yml  | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/windows/process_creation/win_run_executable_invalid_extension.yml

diff --git a/rules/windows/process_creation/win_run_executable_invalid_extension.yml b/rules/windows/process_creation/win_run_executable_invalid_extension.yml
new file mode 100644
index 000000000..f323801e0
--- /dev/null
+++ b/rules/windows/process_creation/win_run_executable_invalid_extension.yml
@@ -0,0 +1,30 @@
+title: Application Executed Non-Executable Extension
+id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
+status: experimental
+description: Detects execution of files using an invalid file extension
+author: Tim Shelton
+date: 2022/01/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image|endswith:
+        - '.exe'
+        - '.ex_'
+        - '.com'
+        - '.cmd'
+        - '.bat'
+        - '.bin'
+        - '.pif'
+    selection2:
+        Image|endswith: 'rundll32.exe'
+    selection2b:
+        CommandLine|contains: ".dll"
+    condition: not selection1 or (selection2 and not selection2b)
+fields:
+    - Image
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high