Adversaries may use Windows binaries to write files with suspicious extensions to exfiltrate data or deploy malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or persistence mechanisms early.
Detection Rule
title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
- id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
- attack.defense-evasion
- attack.t1036
logsource:
category: file_event
product: windows
detection:
selection_generic:
Image|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\RuntimeBroker.exe'
- '\sihost.exe'
- '\smss.exe'
- '\wininit.exe'
- '\winlogon.exe'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.ps1'
- '.txt'
- '.vbe'
- '.vbs'
selection_special:
Image|endswith:
- '\dllhost.exe'
- '\rundll32.exe'
- '\svchost.exe'
TargetFilename|endswith:
- '.bat'
- '.hta'
- '.iso'
- '.ps1'
- '.vbe'
- '.vbs'
filter_main_AppLockerPolicyTest:
Image: 'C:\Windows\System32\dllhost.exe'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\__PSScriptPolicyTest_'
TargetFilename|endswith: '.ps1'
filter_main_script_gpo_machine:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Windows\System32\GroupPolicy\DataStore\'
- '\sysvol\'
- '\Policies\'
- '\Machine\Scripts\Startup\'
TargetFilename|endswith:
- '.ps1'
- '.bat'
filter_main_clipchamp:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Program Files\WindowsApps\Clipchamp'
- '.ps1'
filter_main_powershell_preview:
Image:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|startswith:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
TargetFilename|endswith: '.ps1'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
imFileEvent
| where (((TargetFilePath endswith "\\csrss.exe" or TargetFilePath endswith "\\lsass.exe" or TargetFilePath endswith "\\RuntimeBroker.exe" or TargetFilePath endswith "\\sihost.exe" or TargetFilePath endswith "\\smss.exe" or TargetFilePath endswith "\\wininit.exe" or TargetFilePath endswith "\\winlogon.exe") and (TargetFileName endswith ".bat" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".iso" or TargetFileName endswith ".ps1" or TargetFileName endswith ".txt" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs")) or ((TargetFilePath endswith "\\dllhost.exe" or TargetFilePath endswith "\\rundll32.exe" or TargetFilePath endswith "\\svchost.exe") and (TargetFileName endswith ".bat" or TargetFileName endswith ".hta" or TargetFileName endswith ".iso" or TargetFileName endswith ".ps1" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs"))) and (not(((TargetFilePath =~ "C:\\Windows\\System32\\dllhost.exe" and (TargetFileName contains ":\\Users\\" and TargetFileName contains "\\AppData\\Local\\Temp\\__PSScriptPolicyTest_") and TargetFileName endswith ".ps1") or (TargetFilePath =~ "C:\\Windows\\system32\\svchost.exe" and (TargetFileName contains "C:\\Windows\\System32\\GroupPolicy\\DataStore\\" and TargetFileName contains "\\sysvol\\" and TargetFileName contains "\\Policies\\" and TargetFileName contains "\\Machine\\Scripts\\Startup\\") and (TargetFileName endswith ".ps1" or TargetFileName endswith ".bat")) or (TargetFilePath =~ "C:\\Windows\\system32\\svchost.exe" and (TargetFileName contains "C:\\Program Files\\WindowsApps\\Clipchamp" and TargetFileName contains ".ps1")) or ((TargetFilePath in~ ("C:\\Windows\\system32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")) and (TargetFileName startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or TargetFileName startswith "C:\\Program Files (x86)\\WindowsApps\\Microsoft.PowerShellPreview") and TargetFileName endswith ".ps1"))))Scenario: A system update or patching tool (e.g., Microsoft Update, Windows Server Update Services) writes temporary files with suspicious extensions during installation.
Filter/Exclusion: Exclude files created by known update tools using their process names or parent process identifiers (e.g., wuauclt.exe, svchost.exe).
Scenario: A backup or synchronization tool (e.g., Veeam, rsync, or Azure Backup) generates temporary files with extensions like .tmp or .bak during data transfer.
Filter/Exclusion: Exclude files created by backup tools using their process names or by checking the file path against known backup directories (e.g., C:\ProgramData\Backup).
Scenario: A system administrator manually runs a script (e.g., PowerShell or batch file) to generate diagnostic files with extensions like .log or .txt for troubleshooting.
Filter/Exclusion: Exclude files created by administrative tasks using user or process context (e.g., Administrators group or cmd.exe/powershell.exe with elevated privileges).
Scenario: A scheduled job (e.g., Task Scheduler) runs a legitimate application (e.g., sqlcmd.exe, ffmpeg.exe, or 7z.exe) that writes output files with non-standard extensions.
Filter/Exclusion: Exclude files generated by scheduled tasks using the task name or parent process identifier (e.g., TaskScheduler or schtasks.exe).
Scenario: A software deployment tool (e.g., SCCM, Chocolatey, or Ansible) creates temporary files with suspicious extensions during package extraction or installation.
Filter/Exclusion: Exclude files created by deployment tools using their process names or by checking the file path against known deployment directories (e.g., C:\Windows\Temp).