Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Detect potential presence of a malicious file with a double extension ASIM Web Session

Back
Id6a71687f-00cf-44d3-93fc-8cbacc7b5615
RulenameDetect potential presence of a malicious file with a double extension (ASIM Web Session)
DescriptionDouble extension vulnerability is a significant concern in file uploads, as it can lead to various

issues if an attacker successfully uploads a virus-infected file.
SeverityMedium
TacticsDefenseEvasion
Persistence
CommandAndControl
TechniquesT1036
T1505
T1071
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PossibleMaliciousDoubleExtension.yaml
Version1.0.0
Arm template6a71687f-00cf-44d3-93fc-8cbacc7b5615.json
Deploy To Azure
let common_file_ext_list = dynamic([".txt", ".xlsx", ".doc", ".docx", ".csv", ".pdf", ".png", ".jpg", ".jpeg"]); // Add list of common files as per your environment
_Im_WebSession (starttime=ago(1h), eventresult='Success')
| where HttpRequestMethod in~ ("POST", "PUT") 
| project
    Url,
    SrcIpAddr,
    SrcUsername,
    SrcHostname,
    DstIpAddr,
    DstPortNumber,
    DstHostname,
    TimeGenerated
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend FileWithdualextension = extract(@'([\w-]+\.\w+\.\w+)$', 1, requestedFileName, typeof(string))
| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])
| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files
| summarize
    EventCount=count(),
    EventStartTime=min(TimeGenerated),
    EventEndTime=max(TimeGenerated)
    by
    SrcIpAddr,
    Url,
    FileWithdualextension,
    SrcUsername,
    SrcHostname,
    DstIpAddr,
    DstPortNumber,
    DstHostname
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")
customDetails:
  EventEndTime: EventEndTime
  EventCount: EventCount
  DstHostname: DstHostname
  EventStartTime: EventStartTime
name: Detect potential presence of a malicious file with a double extension (ASIM Web Session)
status: Available
triggerThreshold: 0
severity: Medium
tactics:
- DefenseEvasion
- Persistence
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PossibleMaliciousDoubleExtension.yaml
entityMappings:
- entityType: File
  fieldMappings:
  - columnName: FileWithdualextension
    identifier: Name
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: Host
  fieldMappings:
  - columnName: SrcHostname
    identifier: HostName
queryPeriod: 1h
queryFrequency: 1h
version: 1.0.0
triggerOperator: gt
description: |
  'Double extension vulnerability is a significant concern in file uploads, as it can lead to various 
    issues if an attacker successfully uploads a virus-infected file.'  
query: |
  let common_file_ext_list = dynamic([".txt", ".xlsx", ".doc", ".docx", ".csv", ".pdf", ".png", ".jpg", ".jpeg"]); // Add list of common files as per your environment
  _Im_WebSession (starttime=ago(1h), eventresult='Success')
  | where HttpRequestMethod in~ ("POST", "PUT") 
  | project
      Url,
      SrcIpAddr,
      SrcUsername,
      SrcHostname,
      DstIpAddr,
      DstPortNumber,
      DstHostname,
      TimeGenerated
  | extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
  | extend FileWithdualextension = extract(@'([\w-]+\.\w+\.\w+)$', 1, requestedFileName, typeof(string))
  | extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])
  | where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files
  | summarize
      EventCount=count(),
      EventStartTime=min(TimeGenerated),
      EventEndTime=max(TimeGenerated)
      by
      SrcIpAddr,
      Url,
      FileWithdualextension,
      SrcUsername,
      SrcHostname,
      DstIpAddr,
      DstPortNumber,
      DstHostname
  | extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),"")  
relevantTechniques:
- T1036
- T1505
- T1071
tags:
- Schema: WebSession
  SchemaVersion: 0.2.6
id: 6a71687f-00cf-44d3-93fc-8cbacc7b5615
requiredDataConnectors: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been observed with posting potentially risky dual extension file
  alertDescriptionFormat: User posted file '{{FileWithdualextension}}' which potentially contain dual extensions. This type of activity could be malicious and performed to bypass file upload filters or security measures implemented by the application. Destination server name this request was targetted to - '{{DstHostname}}'
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a71687f-00cf-44d3-93fc-8cbacc7b5615')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a71687f-00cf-44d3-93fc-8cbacc7b5615')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "User posted file '{{FileWithdualextension}}' which potentially contain dual extensions. This type of activity could be malicious and performed to bypass file upload filters or security measures implemented by the application. Destination server name this request was targetted to - '{{DstHostname}}'",
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP address '{{SrcIpAddr}}' has been observed with posting potentially risky dual extension file"
        },
        "alertRuleTemplateName": "6a71687f-00cf-44d3-93fc-8cbacc7b5615",
        "customDetails": {
          "DstHostname": "DstHostname",
          "EventCount": "EventCount",
          "EventEndTime": "EventEndTime",
          "EventStartTime": "EventStartTime"
        },
        "description": "'Double extension vulnerability is a significant concern in file uploads, as it can lead to various \n  issues if an attacker successfully uploads a virus-infected file.'\n",
        "displayName": "Detect potential presence of a malicious file with a double extension (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileWithdualextension",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SrcHostname",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/PossibleMaliciousDoubleExtension.yaml",
        "query": "let common_file_ext_list = dynamic([\".txt\", \".xlsx\", \".doc\", \".docx\", \".csv\", \".pdf\", \".png\", \".jpg\", \".jpeg\"]); // Add list of common files as per your environment\n_Im_WebSession (starttime=ago(1h), eventresult='Success')\n| where HttpRequestMethod in~ (\"POST\", \"PUT\") \n| project\n    Url,\n    SrcIpAddr,\n    SrcUsername,\n    SrcHostname,\n    DstIpAddr,\n    DstPortNumber,\n    DstHostname,\n    TimeGenerated\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]), '/')[-1])\n| extend FileWithdualextension = extract(@'([\\w-]+\\.\\w+\\.\\w+)$', 1, requestedFileName, typeof(string))\n| extend SecondExt = tostring(split(FileWithdualextension, '.')[-1])\n| where strcat('.', SecondExt) in~ (common_file_ext_list) // Second extension is mostly from the common files\n| summarize\n    EventCount=count(),\n    EventStartTime=min(TimeGenerated),\n    EventEndTime=max(TimeGenerated)\n    by\n    SrcIpAddr,\n    Url,\n    FileWithdualextension,\n    SrcUsername,\n    SrcHostname,\n    DstIpAddr,\n    DstPortNumber,\n    DstHostname\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Persistence"
        ],
        "tags": [
          {
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
          }
        ],
        "techniques": [
          "T1036",
          "T1071",
          "T1505"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}