Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
title: Suspicious Double Extension File Execution
id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
related:
- id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine
type: similar
status: stable
description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
references:
- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
- https://twitter.com/blackorbird/status/1140519090961825792
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
date: 2019-06-26
modified: 2025-05-30
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- ' .exe'
- '______.exe'
- '.doc.exe'
- '.doc.js'
- '.docx.exe'
- '.docx.js'
- '.gif.exe'
- '.jpeg.exe'
- '.jpg.exe'
- '.mkv.exe'
- '.mov.exe'
- '.mp3.exe'
- '.mp4.exe'
- '.pdf.exe'
- '.pdf.js'
- '.png.exe'
- '.ppt.exe'
- '.ppt.js'
- '.pptx.exe'
- '.pptx.js'
- '.rtf.exe'
- '.rtf.js'
- '.svg.exe'
- '.txt.exe'
- '.txt.js'
- '.xls.exe'
- '.xls.js'
- '.xlsx.exe'
- '.xlsx.js'
- '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
CommandLine|contains:
- ' .exe'
- '______.exe'
- '.doc.exe'
- '.doc.js'
- '.docx.exe'
- '.docx.js'
- '.gif.exe'
- '.jpeg.exe'
- '.jpg.exe'
- '.mkv.exe'
- '.mov.exe'
- '.mp3.exe'
- '.mp4.exe'
- '.pdf.exe'
- '.pdf.js'
- '.png.exe'
- '.ppt.exe'
- '.ppt.js'
- '.pptx.exe'
- '.pptx.js'
- '.rtf.exe'
- '.rtf.js'
- '.svg.exe'
- '.txt.exe'
- '.txt.js'
- '.xls.exe'
- '.xls.js'
- '.xlsx.exe'
- '.xlsx.js'
- '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where (TargetProcessName endswith " .exe" or TargetProcessName endswith "______.exe" or TargetProcessName endswith ".doc.exe" or TargetProcessName endswith ".doc.js" or TargetProcessName endswith ".docx.exe" or TargetProcessName endswith ".docx.js" or TargetProcessName endswith ".gif.exe" or TargetProcessName endswith ".jpeg.exe" or TargetProcessName endswith ".jpg.exe" or TargetProcessName endswith ".mkv.exe" or TargetProcessName endswith ".mov.exe" or TargetProcessName endswith ".mp3.exe" or TargetProcessName endswith ".mp4.exe" or TargetProcessName endswith ".pdf.exe" or TargetProcessName endswith ".pdf.js" or TargetProcessName endswith ".png.exe" or TargetProcessName endswith ".ppt.exe" or TargetProcessName endswith ".ppt.js" or TargetProcessName endswith ".pptx.exe" or TargetProcessName endswith ".pptx.js" or TargetProcessName endswith ".rtf.exe" or TargetProcessName endswith ".rtf.js" or TargetProcessName endswith ".svg.exe" or TargetProcessName endswith ".txt.exe" or TargetProcessName endswith ".txt.js" or TargetProcessName endswith ".xls.exe" or TargetProcessName endswith ".xls.js" or TargetProcessName endswith ".xlsx.exe" or TargetProcessName endswith ".xlsx.js" or TargetProcessName endswith "⠀⠀⠀⠀⠀⠀.exe") and (TargetProcessCommandLine contains " .exe" or TargetProcessCommandLine contains "______.exe" or TargetProcessCommandLine contains ".doc.exe" or TargetProcessCommandLine contains ".doc.js" or TargetProcessCommandLine contains ".docx.exe" or TargetProcessCommandLine contains ".docx.js" or TargetProcessCommandLine contains ".gif.exe" or TargetProcessCommandLine contains ".jpeg.exe" or TargetProcessCommandLine contains ".jpg.exe" or TargetProcessCommandLine contains ".mkv.exe" or TargetProcessCommandLine contains ".mov.exe" or TargetProcessCommandLine contains ".mp3.exe" or TargetProcessCommandLine contains ".mp4.exe" or TargetProcessCommandLine contains ".pdf.exe" or TargetProcessCommandLine contains ".pdf.js" or TargetProcessCommandLine contains ".png.exe" or TargetProcessCommandLine contains ".ppt.exe" or TargetProcessCommandLine contains ".ppt.js" or TargetProcessCommandLine contains ".pptx.exe" or TargetProcessCommandLine contains ".pptx.js" or TargetProcessCommandLine contains ".rtf.exe" or TargetProcessCommandLine contains ".rtf.js" or TargetProcessCommandLine contains ".svg.exe" or TargetProcessCommandLine contains ".txt.exe" or TargetProcessCommandLine contains ".txt.js" or TargetProcessCommandLine contains ".xls.exe" or TargetProcessCommandLine contains ".xls.js" or TargetProcessCommandLine contains ".xlsx.exe" or TargetProcessCommandLine contains ".xlsx.js" or TargetProcessCommandLine contains "⠀⠀⠀⠀⠀⠀.exe")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |