Detect potential presence of a malicious file with a double extension ASIM Web Session
| Id | 6a71687f-00cf-44d3-93fc-8cbacc7b5615 |
| Rulename | Detect potential presence of a malicious file with a double extension (ASIM Web Session) |
| Description | Double extension vulnerability is a significant concern in file uploads, as it can lead to various issues if an attacker successfully uploads a virus-infected file. |
| Severity | Medium |
| Tactics | DefenseEvasion Persistence CommandAndControl |
| Techniques | T1036 T1505 T1071 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PossibleMaliciousDoubleExtension.yaml |
| Version | 1.0.1 |
| Arm template | 6a71687f-00cf-44d3-93fc-8cbacc7b5615.json |
let common_file_ext_list = dynamic([".txt", ".xlsx", ".doc", ".docx", ".csv", ".pdf", ".png", ".jpg", ".jpeg"]); // Add list of common files as per your environment
_Im_WebSession (starttime=ago(1h), eventresult='Success')
| where HttpRequestMethod in~ ("POST", "PUT")
| project
Url,
SrcIpAddr,
SrcUsername,
SrcHostname,
DstIpAddr,
DstPortNumber,
DstHostname,
TimeGenerated
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend FileWithdualextension = extract(@'([\w-]+\.\w+\.\w+)$', 1, requestedFileName, typeof(string))
| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])
| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files
| summarize
EventCount=count(),
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated)
by
SrcIpAddr,
Url,
FileWithdualextension,
SrcUsername,
SrcHostname,
DstIpAddr,
DstPortNumber,
DstHostname
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")
id: 6a71687f-00cf-44d3-93fc-8cbacc7b5615
tactics:
- DefenseEvasion
- Persistence
- CommandAndControl
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PossibleMaliciousDoubleExtension.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
name: Detect potential presence of a malicious file with a double extension (ASIM Web Session)
query: |
let common_file_ext_list = dynamic([".txt", ".xlsx", ".doc", ".docx", ".csv", ".pdf", ".png", ".jpg", ".jpeg"]); // Add list of common files as per your environment
_Im_WebSession (starttime=ago(1h), eventresult='Success')
| where HttpRequestMethod in~ ("POST", "PUT")
| project
Url,
SrcIpAddr,
SrcUsername,
SrcHostname,
DstIpAddr,
DstPortNumber,
DstHostname,
TimeGenerated
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend FileWithdualextension = extract(@'([\w-]+\.\w+\.\w+)$', 1, requestedFileName, typeof(string))
| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])
| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files
| summarize
EventCount=count(),
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated)
by
SrcIpAddr,
Url,
FileWithdualextension,
SrcUsername,
SrcHostname,
DstIpAddr,
DstPortNumber,
DstHostname
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")
severity: Medium
customDetails:
EventEndTime: EventEndTime
EventStartTime: EventStartTime
EventCount: EventCount
DstHostname: DstHostname
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1036
- T1505
- T1071
tags:
- SchemaVersion: 0.2.6
Schema: WebSession
queryFrequency: 1h
requiredDataConnectors: []
version: 1.0.1
description: |
'Double extension vulnerability is a significant concern in file uploads, as it can lead to various issues if an attacker successfully uploads a virus-infected file.'
status: Available
alertDetailsOverride:
alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been observed with posting potentially risky dual extension file
alertDescriptionFormat: User posted file '{{FileWithdualextension}}' which potentially contain dual extensions. This type of activity could be malicious and performed to bypass file upload filters or security measures implemented by the application. Destination server name this request was targetted to - '{{DstHostname}}'
entityMappings:
- fieldMappings:
- columnName: FileWithdualextension
identifier: Name
entityType: File
- fieldMappings:
- columnName: Url
identifier: Url
entityType: URL
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
- fieldMappings:
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: SrcHostname
identifier: HostName
entityType: Host
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a71687f-00cf-44d3-93fc-8cbacc7b5615')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a71687f-00cf-44d3-93fc-8cbacc7b5615')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "User posted file '{{FileWithdualextension}}' which potentially contain dual extensions. This type of activity could be malicious and performed to bypass file upload filters or security measures implemented by the application. Destination server name this request was targetted to - '{{DstHostname}}'",
"alertDisplayNameFormat": "User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been observed with posting potentially risky dual extension file"
},
"alertRuleTemplateName": "6a71687f-00cf-44d3-93fc-8cbacc7b5615",
"customDetails": {
"DstHostname": "DstHostname",
"EventCount": "EventCount",
"EventEndTime": "EventEndTime",
"EventStartTime": "EventStartTime"
},
"description": "'Double extension vulnerability is a significant concern in file uploads, as it can lead to various issues if an attacker successfully uploads a virus-infected file.'\n",
"displayName": "Detect potential presence of a malicious file with a double extension (ASIM Web Session)",
"enabled": true,
"entityMappings": [
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "FileWithdualextension",
"identifier": "Name"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PossibleMaliciousDoubleExtension.yaml",
"query": "let common_file_ext_list = dynamic([\".txt\", \".xlsx\", \".doc\", \".docx\", \".csv\", \".pdf\", \".png\", \".jpg\", \".jpeg\"]); // Add list of common files as per your environment\n_Im_WebSession (starttime=ago(1h), eventresult='Success')\n| where HttpRequestMethod in~ (\"POST\", \"PUT\") \n| project\n Url,\n SrcIpAddr,\n SrcUsername,\n SrcHostname,\n DstIpAddr,\n DstPortNumber,\n DstHostname,\n TimeGenerated\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]), '/')[-1])\n| extend FileWithdualextension = extract(@'([\\w-]+\\.\\w+\\.\\w+)$', 1, requestedFileName, typeof(string))\n| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])\n| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files\n| summarize\n EventCount=count(),\n EventStartTime=min(TimeGenerated),\n EventEndTime=max(TimeGenerated)\n by\n SrcIpAddr,\n Url,\n FileWithdualextension,\n SrcUsername,\n SrcHostname,\n DstIpAddr,\n DstPortNumber,\n DstHostname\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Persistence"
],
"tags": [
{
"Schema": "WebSession",
"SchemaVersion": "0.2.6"
}
],
"techniques": [
"T1036",
"T1071",
"T1505"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}