Suspicious Email Attachment Extensions

Description

This search looks for emails that have attachments with suspicious file extensions.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Endpoint Compromise

Alert Volume

This search looks for emails that have attachments with suspicious file extensions.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Initial Access

MITRE ATT&CK Techniques

Phishing

Spearphishing Attachment

MITRE Threat Groups

APT-C-36
APT1
APT12
APT19
APT28
APT29
APT30
APT32
APT33
APT37
APT39
APT41
BRONZE BUTLER
BlackTech
Cobalt Group
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN6
FIN7
FIN8
Frankenstein
Gallmaker
Gamaredon Group
Gorgon Group
Inception
Kimsuky
Lazarus Group
Leviathan
Machete
Magic Hound
Mofang
Molerats
MuddyWater
Naikon
OilRig
PLATINUM
Patchwork
RTM
Rancor
Sandworm Team
Sharpshooter
Silence
TA459
TA505
The White Company
Tropic Trooper
Turla
Windshift
Wizard Spider
admin@338
menuPass

Kill Chain Phases

Delivery

Data Sources

Email

   Help

Suspicious Email Attachment Extensions Help

You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \ Splunk Phantom Playbook Integration\ If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk https://splunkbase.splunk.com/app/3411/, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.

   Search

Open in Search