From 9f3d5328f46131bc4eb5749bc2179dcdaa6d03c0 Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Wed, 21 Jul 2021 11:49:32 -0600
Subject: [PATCH] [Rule Tuning] Convert unusual extension rule to regex (#1368)

* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
---
 ..._evasion_file_creation_mult_extension.toml | 34 +++----------------
 1 file changed, 4 insertions(+), 30 deletions(-)

diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml
index 41b77f901..7dbd54ab1 100644
--- a/rules/windows/defense_evasion_file_creation_mult_extension.toml
+++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/07/20"
+min_stack_version = "7.12.0"
 
 [rule]
 author = ["Elastic"]
@@ -23,34 +24,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where event.type == "creation" and file.extension:"exe" and
-  file.name:
-  (
-    "*.vbs.exe",
-    "*.vbe.exe",
-    "*.bat.exe",
-    "*.js.exe",
-    "*.cmd.exe",
-    "*.wsh.exe",
-    "*.ps1.exe",
-    "*.pdf.exe",
-    "*.docx.exe",
-    "*.doc.exe",
-    "*.xlsx.exe",
-    "*.xls.exe",
-    "*.pptx.exe",
-    "*.ppt.exe",
-    "*.txt.exe",
-    "*.rtf.exe",
-    "*.gif.exe",
-    "*.jpg.exe",
-    "*.png.exe",
-    "*.bmp.exe",
-    "*.hta.exe",
-    "*.txt.exe",
-    "*.img.exe",
-    "*.iso.exe"
-  )
+file where event.type == "creation" and file.extension : "exe" and
+  file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe"""
 '''
 
 
@@ -71,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1036/004/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-