Dropped files with double extensions may indicate adversaries attempting to evade detection by leveraging Windows’ default behavior of hiding file extensions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware persistence or execution attempts.
Detection Rule
title: Suspicious Double Extension Files
id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
related:
- id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
type: derived
- id: 3215aa19-f060-4332-86d5-5602511f3ca8
type: similar
status: test
description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
references:
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
- https://twitter.com/malwrhunterteam/status/1235135745611960321
- https://twitter.com/luc4m/status/1073181154126254080
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-06-19
modified: 2025-07-22
tags:
- attack.defense-evasion
- attack.t1036.007
logsource:
category: file_event
product: windows
detection:
selection_gen:
TargetFilename|endswith:
- '.exe'
- '.iso'
- '.rar'
- '.svg'
- '.zip'
# - '.lnk' # legitimate links can happen just anywhere
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.gif.'
- '.jpeg.'
- '.jpg.'
- '.mp3.'
- '.mp4.'
- '.pdf.'
- '.png.'
- '.ppt.'
- '.pptx.'
- '.rtf.'
- '.svg.'
- '.txt.'
- '.xls.'
- '.xlsx.'
selection_exe:
TargetFilename|endswith:
- '.rar.exe'
- '.zip.exe'
# Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations
# filter_main_lnk:
# TargetFilename|contains:
# - '\AppData\Roaming\Microsoft\Office\Recent\'
# - '\AppData\Roaming\Microsoft\Windows\Recent\'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
imFileEvent
| where ((TargetFileName endswith ".exe" or TargetFileName endswith ".iso" or TargetFileName endswith ".rar" or TargetFileName endswith ".svg" or TargetFileName endswith ".zip") and (TargetFileName contains ".doc." or TargetFileName contains ".docx." or TargetFileName contains ".gif." or TargetFileName contains ".jpeg." or TargetFileName contains ".jpg." or TargetFileName contains ".mp3." or TargetFileName contains ".mp4." or TargetFileName contains ".pdf." or TargetFileName contains ".png." or TargetFileName contains ".ppt." or TargetFileName contains ".pptx." or TargetFileName contains ".rtf." or TargetFileName contains ".svg." or TargetFileName contains ".txt." or TargetFileName contains ".xls." or TargetFileName contains ".xlsx.")) or (TargetFileName endswith ".rar.exe" or TargetFileName endswith ".zip.exe")Scenario: A system administrator is manually renaming files for version control, such as report_v2.txt.txt to track changes.
Filter/Exclusion: Exclude files with extensions matching *.txt.txt or use a regex filter to ignore files where the extension is .txt and the second extension is also .txt.
Scenario: A scheduled job runs a script that generates temporary files with double extensions, such as temp_data.log.log during log rotation.
Filter/Exclusion: Exclude files created by specific scheduled tasks (e.g., LogRotationJob) or filter based on file creation time relative to the job execution.
Scenario: A developer is using a tool like git to manage files, and the system automatically appends .git to some files during repository operations, resulting in names like config.git.git.
Filter/Exclusion: Exclude files containing the substring .git.git or filter based on the presence of a .git directory in the file path.
Scenario: A backup tool like Veeam or Acronis creates temporary files with double extensions during the backup process, such as backup_data.bak.bak.
Filter/Exclusion: Exclude files with extensions matching *.bak.bak or filter based on the presence of a backup-related directory or process name.
Scenario: A user is using a file compression tool like 7-Zip to create archives, and the tool temporarily saves files with double extensions, such as archive.7z.7z.
Filter/Exclusion: Exclude files with extensions matching *.7z.7z or filter based on the presence of the 7-Zip process or temporary directories used by the tool.