-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfilesec_io.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 7 columns, instead of 6 in line 1.
122 lines (122 loc) · 56.8 KB
/
filesec_io.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
"Extension","Function","OS","Description","Recommendation","Resources","File_Samples"
"7z","Phishing | File Archiver","Windows Mac Linux","7Z files are archived files having multiple files inside. It can be used to hide and encrypt malware files within. The 7-Zip utility is notably known for the serious remote code execution vulnerability CVE-2018-10115.","Ensure the 7-Zip software is patched for CVE-2018-10115. And monitor incoming 7Z files that are delivered as email attachments. Especially if they are encrypted.","https://borncity.com/win/2018/02/21/security-risk-avoid-7-zip/"
"a3x","Executable Script","Windows","An .a3x file is an AutoIt v3 compiled script. An .a3x file can be used with the standalone and digitally signed AutoIt binary (AutoIt3.exe or AutoIt3_x64.exe) to execute malicious code in the context of a signed/trusted process.","Monitor and disallow .a3x files. Monitoring for the unexpected presence and execution of the AutoIt3.exe binary might also be useful.","https://twitter.com/_theVIVI/status/1463397785336795136 https://thevivi.net/blog/pentesting/201-11-24-autoitmating-your-dotnet-tradecraft https://github.com/V1V1/OffensiveAutoIt","https://www.virustotal.com/gui/file/efc6e6f7519621fce9780ffc794cc4bfbec7af28a8ef8706aed922d1bd3c758c?nocache=1"
"appinstaller","Executable Double Click","Windows","App Installer (.appinstaller) file is used to distribute application.","Monitor and / or block App Installer (.appinstaller) files","https://docs.microsoft.com/en-us/windows/msix/app-installer/app-installer-file-overview"
"applescript","Executable","Mac","APPLESCRIPT files are scripting files used by MacOS. They can be edited and executed using the Apple Script Editor.","Block the download and execution of external APPLESCRIPT files.","https://attack.mitre.org/techniques/T1059/002/ https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/"
"application","Phishing | Executable | Double Click","Windows","APPLICATION files use Microsoft's ClicOnce technology which enables users to install and run a Windows-based smart client application by clicking a link in a web page. APPLICATION files are capable of downloading malware from a web server and installing it with one simple click. They can also be used to grab NTLM hashes. Although that has been patched as part of KB4576630.","Block the execution from unknown publishers or fully block the download and execution of APPLICATION files.","https://bohops.com/2017/12/02/clickonce-twice-or-thrice-a-technique-for-social-engineering-and-untrusted-command-execution/ https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf https://www.netspi.com/blog/technical/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/ http://blog.redxorblue.com/2020/07/one-click-to-compromise-fun-with.html","https://www.joesandbox.com/analysis/304904/0/html"
"appref-ms","Executable | Phishing | Double Click","Windows","APPREF-MS or Application reference files are similar to APPLICATION files that utilize Microsoft's ClickOnce technology. They can be used to download malware from a remote web server.","Block the execution from unknown publishers or fully block the download and execution of APPREF-MS files.","https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf"
"appx","Executable | Phishing | Double Click","Windows","An APPX file is a Windows application package file.","Monitor and / or disallow APPX files","https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-app-package--appx-or-appxbundle--servicing-command-line-options?view=windows-11"
"appxbundle","Executable | Phishing | Double Click","Windows","An .appxbundle is a collection of app and resource packages","Monitor and / or disallow the use of appxbundle files","https://github.com/executemalware/Malware-IOCs/blob/main/2021-11-04%20BazarLoader%20IOCs https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-app-package--appx-or-appxbundle--servicing-command-line-options?view=windows-11"
"arj","Phishing | File Archiver","Windows","File archive compressed by ARJ. A file archiver program that uses Robert Jung compression; includes long filename support - file version management - data integrity protection - and multiple volume archives. They are capable of transferring malicious executables & can be used by attackers to bypass file filters and evade antivirus and other security controls.","After validating business usage, block the download and execution of arj archive files on email & web gateways and . Whitelist as required.","https://www.trendmicro.com/en_in/research/18/j/same-old-yet-brand-new-new-file-types-emerge-in-malware-spam-attachments.html"
"asd","Phishing | Double Click | Macros","Windows","ASD is a Microsoft Word Auto Recovery Document. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users, turn off macros from Word's settings.","","https://www.hybrid-analysis.com/sample/7342c6ea1fc3362afa7879ed582d246172e9dc1a5a89d50a202bf5c5b60cb87e"
"bat","Executable | Script | Double Click","Windows","BAT or Batch file is a DOS file used to execute commands using the Command Prompt (cmd.exe).","Block the download and execution of all BAT files. Alternatively, change the default application for BAT files to a text editor such as Notepad.","https://www.bleepingcomputer.com/news/security/trickbot-malware-uses-obfuscated-windows-batch-script-to-evade-detection/","https://www.joesandbox.com/analysis/445201/0/html"
"bgi","Exploit | Script | Phishing","Windows","BGInfo is a tool that is part of Sysinternals. It allows you to display the machine's configuration info on the desktop wallpaper. The OS will automatically associate the BGInfo application with the .bgi extension when it's first executed. Any .bgi files that a user double clicks will automatically run using the BGInfo executable without prompting the user.","Block BGinfo if not used in the organization. If so also block .BGI files.","https://www.varonis.com/blog/exploiting-bginfo-to-infiltrate-a-corporate-network/"
"bz2","Phishing | Double Click | File Archiver","Windows | Linux | Mac","Compressed archive created by bzip2 a file compression program often found on Unix-based systems; incorporates the Burrows-Wheeler compression algorithm as well as Run-Length Encoding (RLE) for high levels of compression; often used for Linux software package distributions. Same could be opened on Windows machines via compression software like Winrar & 7-Zip etc. These archive file types can contain malicious files.","After validating business usage monitor & block the download and execution of bz2 archive files on email & web gateways and endpoints . Whitelist as required.","","https://any.run/report/c0d3574a4c99d94a21fdce3ff06f1186ef8980372320fa45603fc10f2dd496a5/2e49ea5f-1e86-4de6-9c5c-f9e5e2d10c08 https://bazaar.abuse.ch/sample/11480cf5c47c57040f917412a67d741bd7827ebe3c35779ab90199b4ab6280b8/"
"cab","Phishing | File Archiver","Windows","CAB or Windows Cabinet files are compressed archive files. They are used by attackers to deliver malware.","Block CAB files that are delivered through email.","https://www.trendmicro.com/vinfo/se/security/news/cybercrime-and-digital-threats/loki-delivered-as-cab-file-attachment"
"chm","Executable | Double Click","Windows","CHM or Compiled HTML Help is a deprecated file format used to hold compiled and compressed HTML help documentation.","Block the download and execution of CHM files.","https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/"
"cmd","Executable | Script | Double Click","Windows","CMD or Command files are similiar to BAT files and will run commands on the Command Prompt (cmd.exe)","Block the download and execution of CMD files."
"com","Executable | Double Click","Windows","COM files are binary executable files similar to EXE files. They can be executed on 32-bit version of Windows machines but require NT Virtual DOS Machine (NTVDM) to be installed on a 64-bit version of Windows.","There is little legitimate use for COM files today. Download or execution of COM files should be restricted."
"cpl","Executable | Double Click","Windows","CPL or Control Panel Files are used by the Control Panel Windows application. CPL files can be used to download content from the internet or execute code.","Block the download and execution of CPL files.","https://www.trendmicro.com/en_us/research/13/l/control-panel-files-used-as-malicious-attachments.html https://www.trendmicro.com/en_us/research/14/a/a-look-into-cpl-malware.html"
"cs","Executable","Windows","CS are C# (C Sharp) source code files. They must be compiled before they become executable. Attackers will often use csc.exe to compile CS files.","Monitor the usage of csc.exe compiler to compile CS files."
"daa","Phishing | Executable | File Archiver","Windows","Direct Access Archive or DAA is a proprietary file format developed by PowerISO Computing for disk image files. The format supports features such as compression password protection and splitting to multiple volumes. These file types can be leveraged for phishing users and enable them into executing malicious code embedded inside them.","Common email providers do not block daa attachments but there is little legitimate need for them to be delivered through mail. Block the attachments via email gateway. Also open these file types with care as they can carry malicious executables.","https://isc.sans.edu/forums/diary/Malicious+DAA+Attachments/25230/","https://www.virustotal.com/gui/file/98664feac87afbb44c37b13675a5bcd97f407009a173dea081d498ea8aedc210/details"
"desktopthemepackfile","Phishing | Double Click","Windows","DESKTOPTHEMEPACKFILE files are used by Windows machines to customize desktop themes. They have been previously used by attackers to steal credentials because they often bypass antivirus detection.","Block the download and execution of DESKTOPTHEMEPACKFILE files.","https://www.bleepingcomputer.com/news/microsoft/windows-10-themes-can-be-abused-to-steal-windows-passwords/"
"diagcab","Double Click | Executable","Windows","DIAGCAB files are diagnostic troubleshoot files introduced in Windows Vista. DIAGCAB files can be created & signed by attackers to execute code on the machine.","Treat DIAGCAB files as executables. Block the execution of these files from unknown publishers. If feasible block the download and execution of DIAGCAB files.","https://www.proofpoint.com/us/threat-insight/post/windows-troubleshooting-platform-leveraged-deliver-malware","https://www.joesandbox.com/analysis/53153/0/html"
"dll","Executable","Windows","DLL or Dynamic Link Library are compiled files that are referenced by executable files. Unlike EXE files they cannot be directly double clicked and must be called by another program to be executed.","Block the download and execution of unknown and unsigned DLL files.","https://blog.nviso.eu/2019/09/18/malicious-spreadsheet-dropping-a-dll/"
"dmg","Executable | Double Click","Mac","DMG or Disk Images Files are similiar to ISO files but are used by MacOS. They should be treated in a similiar manner as Windows EXE files.","Block unknown and unsigned DMG files from being downloaded or executed.","https://www.intego.com/mac-security-blog/apple-notarizes-new-mac-malware-again/"
"doc","Phishing | Double Click | Macros","Windows | Mac","DOC is a Microsoft Word Document file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users, turn off macros from Word's settings.","https://www.sophos.com/en-us/security-news-trends/security-trends/the-rise-of-document-based-malware.aspx"
"docm","Phishing | Double Click | Macros","Windows | Mac","DOCM is a Microsoft Macro-Enabled Word Document file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users, turn off macros from Word's settings.","https://www.sophos.com/en-us/security-news-trends/security-trends/the-rise-of-document-based-malware.aspx"
"dot","Phishing | Double Click | Macros","Windows | Mac","DOT is a Microsoft Word template file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users, turn off macros from Word's settings.","https://www.sophos.com/en-us/security-news-trends/security-trends/the-rise-of-document-based-malware.aspx"
"dotm","Phishing | Double Click","Windows | Mac","DOTM is a Microsoft Macro-Enabled Word template file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users, turn off macros from Word's settings.","https://www.sophos.com/en-us/security-news-trends/security-trends/the-rise-of-document-based-malware.aspx"
"eml","Phishing","Windows | Linux | Mac","EML is a file extension for a saved email message. EML files can have spoofed contents within and therefore should not be trusted.","EML files sometimes have legitimate uses and therefore it's not always feasible to block them. Users should be trained to understand that contents of EML files are not necessarily legitimate.","https://isc.sans.edu/forums/diary/EML+attachments+in+O365+a+recipe+for+phishing/25474/"
"exe","Executable | Double Click","Windows","EXE files are executable programs for Windows. They are the standard file extension used by Windows programs.","Block the download and execution of unknown and unsigned EXE files.","https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html","https://www.hybrid-analysis.com/sample/45dd2d1be8e6879b7b332627c387c9a36e38ce7f07ccd3919ea21ed2936889e2?environmentId=120"
"gadget","Phishing | Double Click | Executable | File Archiver","Windows","GADGET files are programs that can run in the Windows sidebar. The GADGET file structure is similar to a ZIP file and can contain files inside. They were introduced in Windows Vista and are natively supported up until Windows 7. Later versions of Windows require a third party software to run.","Block the download and execution of GADGET files. GADGET files should be blocked at the email gateway.","https://grahamcluley.com/windows-users-warned-spammed-gadget-malware-attack https://web.archive.org/web/20140618030215/http://blogs.appriver.com/Blog/bid/102652/windows-gadget-malwar"
"gz","Phishing | Double Click | File Archiver","Windows | Linux | Mac","A GZ file is an archive file compressed by the standard GNU zip (gzip) compression algorithm. It typically contains a single compressed file but may also store multiple compressed files. gzip is primarily used on Unix operating systems for file compression.","After validating business usage, monitor & block the download and execution of gz archive files on email & web gateways and endpoints . Whitelist as required.","https://antivirus.comodo.com/blog/computer-safety/coronavirus-push-lokibot-trojan-malware-unsuspecting-users/"
"hta","Executable | Script | Double Click","Windows","HTA or HTML Application is a Windows program that consists of HTML and a scripting language suppported by Internet Explorer (e.g. VBScript).","Block all HTA files from being downloaded or executed. Alternatively, change the default application for HTA files to a text editor such as Notepad.","https://blog.malwarebytes.com/cybercrime/2016/09/surfacing-hta-infections/","https://www.joesandbox.com/analysis/84810/0/html https://www.hybrid-analysis.com/sample/b706abb571f4efe5dcb3c9a0e39dd27de84c88fa83f456e39848c1d44ee7d4d9/5cd05d1802883869072180d3"
"htm","Phishing | Script | Double Click","Wndows | Mac | Linux","HTM or Hypertext Markup Language files are used to create webpages. They are often used by attackers to spoof a webpage or execute JavaScript.","Block the download of HTM files when delivered through email and change the default application for HTM files to a text editor such as Notepad.","https://www.proficio.com/spear-phishing-in-the-wild-ii/"
"html","Phishing | Script | Double Click","Wndows | Mac | Linux","HTML or Hypertext Markup Language files are used to create webpages. They are often used by attackers to spoof a webpage or execute JavaScript to redirect users.","Block the download of HTML files when delivered through email and change the default application for HTML files to a text editor such as Notepad.","https://www.avanan.com/blog/phishing-trend-targeting-office-365-uses-html-attachments https://www.trendmicro.com/en_ca/research/17/g/html-attachments-phishing-used-bec-attacks.htm"
"hwpx","Phishing","Windows","HWPX file is a Hangul Word Processor 2010 Document. Hangul Word Processor (HWP) is a proprietary word processing application published by the South Korean company Haansoft Corporation. It is used extensively in South Korea especially by the government. Similar to Office .doc docx etc. these file types are also capable of carrying malicious code/ 0 day exploits due to their nature.","After validating business usage monitor & block the download and execution of hwpx files on email & web gateways and endpoints . Whitelist as required.","https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf https://www.virusbulletin.com/virusbulletin/2018/11/vb2018-paper-hacking-sony-pictures/"
"ics","Phishing | Double Click","Windows | Mac | Linux","An .ics file absolutely can be harmful. They can contain many calendar events containing weaponized links. The result can be an annoying amount of appointment reminders containing links. Besides attachments malicious .ICS files can include links to external files (URI option) that could install malware when clicked on","User awareness is crucial not to open suspected calendar invites containing malicious links since .ics blocks on email gateways can cause business impact.","https://abnormalsecurity.com/blog/calendar-invite-malware-attack","https://www.virustotal.com/gui/url/c720d19495ffb9cc901e2043e41b601e9bc5e3c965eff761e786b95a60ae51d2/detection"
"img","Executable | Double Click | Phishing","Windows | Mac","IMG files are used to store a complete image of a disc and behave similarly to ISO files. IMG files are capable of carrying executables.","Common email providers do not block IMG attachments but there is little legitimate need for them to be delivered through mail. Block the attachments via email gateway.","https://www.kaspersky.com/blog/top4-dangerous-attachments-2019/27147/"
"iqy","Phishing | Double Click","Windows | Mac","IQY or Internet Query Files are text files used by Excel to download data from the internet. It can be used by an attacker to execute remote commands on a machine.","Block the download of IQY files.","https://blog.knowbe4.com/new-phishing-campaign-uses-iqy-attachments-to-bypass-antivirus-and-installs-rats https://blog.knowbe4.com/malicious-iqy-files-found-in-spam-campaign"
"iso","Executable | Double Click","Windows | Mac","ISO or ISO Image files are similiar to disc images. They can be used by attackers to bypass file filters and evade antivirus.","Block the download and execution of ISO files. Whitelist users/groups when required.","https://www.blokworx.com/2020/01/14/iso-files-are-being-used-to-deliver-malware/"
"jar","Executable","Windows | Mac | Linux","JAR or Java Archive files are cross-platform file formats based off ZIP formats. JAR files can be used to target different operating systems. Once Java is Installed on Windows JAR files can be executed upon being double clicked.","Block the execution of JAR files. Whitelist users/groups when required.","https://www.deepinstinct.com/2020/02/16/a-jar-of-malware/"
"jnlp","Phishing | Double Click | Executable","Windows | Mac | Linux","JNLP or Java Network Launching Protocol is a XML formatted file that is used to launch Java programs over the network or internet. Java Runtime Environment (JRE) is required to run JNLP files. JNLP files can be used to download and execute remote malicious JAR files.","If feasible, block the download and execution of JNLP files and only give specific users the ability to use them. Otherwise monitor outgoing connections made by JNLP files. JNLP files should not be accepted as email attachments and should be blocked at the email gateway.","https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trickbot-disguised-as-covid-19-map/","https://www.virustotal.com/gui/file/541313dcce5d30e81078427152fd69d91ead152670d8c633116c05dc70cbd353/detection https://www.joesandbox.com/analysis/361228/0/html"
"js","Executable | Script | Double Click","Windows","JS or JScript files will run by default on Windows machines using Microsoft's JScript scripting engine. This allows for code execution on the machine.","Block the execution of all JS files. Alternatively change the default application for JS files to a text editor such as Notepad.","https://nakedsecurity.sophos.com/2016/04/26/ransomware-in-your-inbox-the-rise-of-malicious-javascript-attachments/"
"jse","Executable | Script | Double Click","Windows","JSE or JScript Encoded files will run by default on Windows machines using Microsoft's JScript scripting engine. This allows for code execution on the machine.","Block the execution of all JSE files. Alternatively change the default application for JSE files to a text editor such as Notepad.","https://nakedsecurity.sophos.com/2016/04/26/ransomware-in-your-inbox-the-rise-of-malicious-javascript-attachments/"
"library-ms","Phishing","Windows","Windows Library files are a virtual container for user content and a .library-ms file can be used to point to a remote or local storage location. Abuse of these files has previously been talked about within the CIA Vault7 leaks. As hinted within the Vault 7 leak the SearchConnectorDescription section of the library-ms file can point to a remote location which will again force authentication through explorer when opening the container folder and that would be used for NTLMhash harvesting.","“DisableThumbnailsOnNetworkFolders” and “DisableThumbnails” group policy settings.","https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/"
"lnk","Executable | Double Click | Phishing","Windows","LNK files are shortcuts for the files and can be used to open a URL. Just like URLs LNK files can include an icon to display for the file and that can be leveraged for NetNTLM hash harvesting. They can also be used to reference executables (e.g. PowerShell.exe) allowing them to download and execute malware.","“DisableThumbnailsOnNetworkFolders” and “DisableThumbnails” group policy settings. Set Allow the use of remote paths in file shortcut icons to 0 on group policy settings.","https://www.opswat.com/blog/shortcut-lnk-files-may-contain-malware https://www.trendmicro.com/en_ca/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/"
"mam","Executable | Phishing | Double Click","Windows","MAM are shortcut Microsoft Access Macro files that can be executed by double clicking them.","Block MAM extensions over Email and Proxy","https://posts.specterops.io/phishing-tales-microsoft-access-macro-mam-shortcuts-c0bc3f90ed62"
"mht","Phishing | Script | Double Click","Windows","MHT is a webpage saved by a browser. They are often used by attackers to spoof a webpage or execute JavaScript.","Block the download of MHT files when delivered through email and change the default application for MHT files to a text editor such as Notepad.","https://isc.sans.edu/forums/diary/Malware+Delivered+Through+MHT+Files/24096/"
"mhtml","Phishing | Script | Double Click","Windows","MHTML is a webpage saved by a browser. They are often used by attackers to spoof a webpage or execute JavaScript.","Block the download of MHTML files when delivered through email and change the default application for MHTML files to a text editor such as Notepad.","https://isc.sans.edu/forums/diary/Malware+Delivered+Through+MHT+Files/24096/"
"mof","Script","Windows","Managed Object Format (MOF) is the language used to describe Common Information Model (CIM) classes. The recommended way for WMI providers to implement new WMI classes is in MOF files which are compiled using Mofcomp.exe into the WMI repository. It is also possible to create and manipulate CIM classes and instances using the COM API for WMI.","Block unknown MOF files","https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- https://docs.microsoft.com/en-us/windows/win32/wmisdk/compiling-mof-files https://docs.microsoft.com/en-us/windows/win32/wmisdk/running-the-mof-compiler-on-a-file"
"msc","Double Click","Windows","MSC files are Microsoft Management Console (MMC) snap-in files.","Block the download and execution of MSC files.","https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/"
"msi","Executable | Double Click","Windows","MSI is a Windows Installer package which execute programs similiar to EXE files.","Block the download and execution of MSI files. Whitelist users/groups when required.","https://isc.sans.edu/forums/diary/Malware+Delivered+via+Windows+Installer+Files/23349/"
"msrcincident","Phishing","Windows","MSRCINCIDENT files are XML format documents used by the Windows Remote Assistance program to take control of your computer.","Block the download and execution of MSRCINCIDENT files.","https://www.bleepingcomputer.com/news/security/windows-remote-assistance-tool-can-be-used-for-targeted-attacks/"
"ocx","Executable","Windows","OCX or OLE Control Extension are ActiveX controls that Microsoft developed to enable applications to perform specific functions by calling ready-made components. Unlike EXE files they cannot be directly double clicked and must be must be registered first (example via RegSvr32). They operate very similar to .dll files in many cases. This file extension can used to evade AV defense rules looking for .dll files spawning from unusual processes.","Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel. Attackers are commonly dropping these files via macro-enabled office documents.","https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents"
"odt","Exploit | Phishing | Double Click","Windows","ODT is a ZIP archive with XML-based files used by Microsoft Office as well as the comparable Apache OpenOffice and LibreOffice software. There have recently been multiple malware campaigns using this file type that are able to avoid antivirus detection due to the fact that these engines view ODT files as standard archives and don't apply the same rules it normally would for an Office document.","Block these file types on web and email gateways if no business need. Enforce GPOs to control execution of malicious macros among other script executables from odt file types.. Enforce office protected view.","https://blog.talosintelligence.com/2019/09/odt-malware-twist.html","https://www.virustotal.com/gui/file/de8e85328b1911084455e7dc78b18fd1c6f84366a23eaa273be7fbe4488613dd/detection"
"oxps","Phishing | Double Click","Windows","OXPS files are Microsoft's version of PDF files. They are opened by default with Microsoft's XPS Viewer.","Monitor OXPS files that are delivered as email attachments.","https://isc.sans.edu/forums/diary/XPS+Attachment+Used+for+Phishing/23794/"
"pdf","Phishing | Script | Double Click","Windows | Mac | Linux","PDF or Portable Document Format is used to share read-only documents. They are constantly used by attackers in phishing attacks. Exploits for PDF readers such as Adobe are also common. PDF also supports a JavaScript API which can be used to gather information about the user opening the file.","Ensure the latest version of the PDF viewer (e.g. Adobe) is always installed.","https://opensource.adobe.com/dc-acrobat-sdk-docs/acrobatsdk/pdfs/acrobatsdk_jsapiref.pdf https://unit42.paloaltonetworks.com/phishing-trends-with-pdf-files/"
"pif","Executable | Double Click","Windows","PIF or Program Information File contains information about EXE files. PIF files can act as shortcuts to EXE files or can be executed if they contain executable data.","There is little legitimate use for PIF files today. Download or execution of PIF files should be restricted.","https://www.forcepoint.com/blog/x-labs/zeus-pif-evolving-strain-looking-defeat-your-security-software https://www.zdnet.com/article/evolving-zeus-malware-used-in-targeted-email-attacks/","https://www.joesandbox.com/analysis/179247/0/html"
"pot","Phishing | Double Click | Macros","Windows | Mac","POT is a Microsoft PowerPoint template file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from PowerPoint's settings.","https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162"
"potm","Phishing | Double Click | Macros","Windows | Mac","POTM is a Microsoft Macro-Enabled PowerPoint template file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from PowerPoint's settings.","https://www.trendmicro.com/vinfo/au/threat-encyclopedia/malware/js_nemucod.potm"
"ppa","Executable | Phishing | Doubleclick","Windows | Mac","A PPA file is an add-in file used by Microsoft PowerPoint a program that allows users to create presentations. It contains custom commands and macros written in the VBA (Visual Basic for Applications) language and is used to extend the capabilities of Microsoft PowerPoint. .ppa including .ppam file types had been traditionally used by various cybercrime groups to conduct their campaigns and operations.","Block .ppa on email and web proxies.","https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/","https://www.virustotal.com/gui/file/ee9d3c90df5c01dc6e2079d1219be752542a452988c4a25f34b8ee22be799332/details"
"ppam","Executable | Phishing | Doubleclick","Windows | Mac","A PPAM file is a PowerPoint macro-enabled Open XML add-in file used by Microsoft PowerPoint a program used to develop slide show presentations. This file type was introduced in 2007 with the release of Microsoft Office 2007. It contains components that add additional functionality. Including extra commands & custom macros & and new tools for extending default PowerPoint functions. PPAM files are found to be misused by various threat actors which include cyber crime where Agent tesla has been found to be leveraging these types more often","Block PPAM extensions over Email and Web Proxies","https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/","https://www.virustotal.com/gui/file/fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182/details"
"ppkg","Executable","Windows","DISM Provisioning Package (.ppkg)","Monitor and / or disallow PPKG files","https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-provisioning-package-command-line-options?view=windows-11"
"pps","Phishing | Double Click | Macros","Windows | Mac","PPS is a Microsoft PowerPoint slideshow file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from PowerPoint's settings.","https://www.helpnetsecurity.com/2017/06/09/powerpoint-malware/"
"ppsm","Phishing | Double Click | Macros","Windows | Mac","PPSM is a Microsoft Macro-Enabled PowerPoint slideshow file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from PowerPoint's settings.","","https://www.joesandbox.com/analysis/428845/0/html"
"ppt","Phishing | Double Click | Macros","Windows | Mac","PPT is a Microsoft PowerPoint file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from PowerPoint's settings.","https://www.techradar.com/news/this-malware-is-another-reason-to-dread-powerpoint-presentations"
"pptm","Phishing | Double Click | Macros","Windows | Mac","PPTM is a Microsoft Macro-Enabled PowerPoint file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from PowerPoint's settings.","https://www.techradar.com/news/this-malware-is-another-reason-to-dread-powerpoint-presentations"
"ps1","Executable | Script","Windows","PS1 is a Windows PowerShell file. PowerShell is a Windows scripting language. PowerShell is often used by fileless malware to run in memory making them more dangerous and harder to detect.","Block the download and execution of PS1 files.","https://www.varonis.com/blog/fileless-malware/ https://cofense.com/analysts-view-surging-powershell-based-malware/","https://www.joesandbox.com/analysis/444594/0/html https://www.joesandbox.com/analysis/436762/0/html"
"pub","Phishing | Double Click | Macros","Windows | Mac","PUB file extension represents Microsoft Publisher document file format. It's very popular file format used for different types of publications like newsletters & flyers & brochures & postcards etc. Also this format is widely used in Websites and Emails. Pub files can contain malicious macros that can infect a user's machine.","Manage trusted locations (to an absolute minimum) and monitor remaining. Disable macros via GPO and whitelist the users that are permitted to run macros. For end-users turn off internet based macros from MS Publisher. If no business need block .pub on email and web gateways.","https://www.trendmicro.com/en_in/research/18/j/same-old-yet-brand-new-new-file-types-emerge-in-malware-spam-attachments.html","https://www.virustotal.com/gui/file/38066350f0ad3edfa2ccf534f51ad528b8bac6e8f1a2a5450556a33fdf345109"
"py","Executable | Script","Windows | Mac | Linux","PY are Python script files. By default Python is not installed on Windows. Usually once Python is installed .py files are executed via the Python interpreter upon being double clicked.","Block the execution of PY files. Whitelist users/groups when required.","https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/"
"pyc","Executable | Script","Windows | Mac | Linux","PYC are Compiled Python script files. By default Python is not installed on Windows. Usually once Python is installed .pyc files are executed via the Python interpreter upon being double clicked.","Block the execution of PYC files. Whitelist users/groups when required.","https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/"
"pyo","Executable | Script","Windows | Mac | Linux","PYO are Compiled Python script files. By default Python is not installed on Windows. Usually once Python is installed .pyo files are executed via the Python interpreter upon being double clicked.","Block the execution of PYO files. Whitelist users/groups when required.","https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/"
"pyw","Executable | Script","Windows | Mac | Linux","PYW are GUI Python script files. They must be run by pythonw. By default Python is not installed on Windows. Usually once Python is installed .pyw files are executed via the Pythonw interpreter upon being double clicked.","Block the execution of PYW files. Whitelist users/groups when required.","https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/"
"pyz","Executable | Script","Windows | Mac | Linux","PYZ or Python Zipped Executable files are Python script files. By default Python is not installed on Windows. Usually once Python is installed .pyz files are executed via the Python interpreter upon being double clicked.","Block the execution of PYZ files. Whitelist users/groups when required.","https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/"
"pyzw","Executable | Script","Windows | Mac | Linux","PYZW or Python Zipped Executable files are Python script files. They must be run by pythonw. By default Python is not installed on Windows. Usually once Python is installed .pyzw files are executed via the Pythonw interpreter upon being double clicked.","Block the execution of PYZW files. Whitelist users/groups when required.","https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/"
"rar","Phishing | File Archiver","Windows | Mac | Linux","RAR files are archived files having multiple files inside. It also compresses the files inside. It is often used by attackers to deliver malware.","Monitor RAR files that are delivered as email attachments especially if they are encrypted.","https://research.checkpoint.com/2019/extracting-code-execution-from-winrar/"
"reg","Double Click","Windows","REG or Registry files are used to create or add or remove entries from the Windows Registry.","Block the download and execution of all REG files."
"rtf","Phishing | Double Click","Windows | Mac | Linux","RTF or Rich Text Format is a text document that allows for added rich text features such as bolding text. RTF files have been used to exploit zero day vulnerabilities and other known vulnerabilities such as CVE-2018-0802.","Ensure the latest version of RTF viewer (e.g. Microsoft Word) is always installed.","https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/ https://neil-fox.github.io/RTF-Analysis-&-Lokibot/"
"scf","Phishing","Windows","SCF or Shell Command Files are Windows Explorer Command files that can be used to to launch commands by Windows Explorer. They have been used before by attackers to steal credentials.","Block the download and execution of SCF files.","https://www.bleepingcomputer.com/news/security/you-can-steal-windows-login-credentials-via-google-chrome-and-scf-files/ https://blog.malwarebytes.com/cybercrime/2017/05/smb-and-scf-another-good-reason-to-disable-superfluous-protocols/"
"scpt","Executable | Script","Mac","An SCPT file is a compiled script created with Apple's Script Editor. It is written in AppleScript is an automation scripting language used by Mac computers. SCPT files may be written manually or generated by recording actions.","Block the execution of SCPT files.","https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
"scr","Executable | Double Click","Windows","SCR or Screen Saver files are used by Windows for graphical screen savers.","Block the download and execution of all SCR files.","https://blog.malwarebytes.com/cybercrime/2014/11/rogue-scr-file-links-circulating-in-steam-chat/"
"sct","Script","Windows","SCT files are used to create a Component Object Model (COM) program. It can use scripting languages such as VBScript.","Block the download and execution of SCT files.","https://www.socinvestigation.com/malware-entries-on-sct-files-in-windows/"
"searchConnector-ms","Phishing","Windows","Search Connector files are used to connect users with data stored in remote locations and are similar to the aforementioned library-ms file. The Search Connector file format also allows an icon to be used to customise how the connector is displayed. This can be hosted on a remote URI such as our Farmer WebDAV server by using the iconReference XML tag. Simply opening a folder containing the .searchConnector-ms file will again force explorer to authenticate and that would be used for NTLMhash harvesting.","“DisableThumbnailsOnNetworkFolders” and “DisableThumbnails” group policy settings.","https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/"
"service","Executable | Script","Linux","Each .timer file must have a corresponding .service file with the same name e.g. example.timer and example.service. .service files are Systemd Service unit files that are managed by the systemd system and service manager.","Monitor the use of .service file","https://attack.mitre.org/techniques/T1053/006/"
"settingcontent-ms","Phishing | Double Click | Executable","Windows","SETTINGCONTENT-MS are XML formatted files introduced in Windows 8 that are used to create shortcuts to different setting pages. They can be used to launch executables on Windows machines. They can be embedded in Microsoft Office programs (fixed in CVE-2018–8414) and PDF files.","Block execution of SETTINGCONTENT-MS files outside of “C:\Windows\ImmersiveControlPanel” path.","https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat"
"sh","Executable | Script | Double Click","Linux","A .sh file is a shell script file used to execute commands in a terminal.","Monitor .sh files"
"sldm","Phishing | Double Click | Macros","Windows | Mac","SLDM is a Microsoft Macro-Enabled slide file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from PowerPoint's settings."
"slk","Phishing | Double Click | Macros","Windows | Mac","SLK or Symbolic Link Files are older version of Excel files which rarely have any legitmate uses.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from Excel's settings.","https://blog.knowbe4.com/new-spear-phishing-campaign-targets-27-famous-brands-with-malicious-slk-files https://www.avanan.com/blog/sylkin-attack-bypassing-microsoft-365-security-risking-users"
"so","Executable","Linux","A .so (Shared Object) file is a compiled library file. The analogous to Windows is .DLL.","Block unknown .so files"
"svg","Phishing | Script | Double Click","Windows | Mac","SVG files are two dimensional vector graphics created using XML. SVG files are usually launched via the default browser upon being double clicked. They can also contain JavaScript making them dangerous.","Change the default application for SVG files to a text editor such as Notepad. If feasible block SVG files at the email gateway.","https://blog.filestack.com/api/stop-malicious-code-from-infiltrating-svg-files https://www.bleepingcomputer.com/news/security/svg-image-format-set-for-wider-adoption-in-malware-distribution/"
"tar","Phishing | Double Click | File Archiver","Windows | Linux | Mac","A TAR file is an archive created by tar. A Unix-based utility used to package files together for backup or distribution purposes. It contains multiple files stored in an uncompressed format along with metadata about the archive. These files are capable of carrying malicious executables inside them. A .tar can contain a malicious executable but it can not be opened with vanilla Windows. Archiving software like the popular WinZip has to be installed for the user to be able to open the .tar files/attachments.","Common email providers do not block tar attachments but there is little legitimate need for them to be delivered through mail. Block the attachments via email gateway. Also in case of business need. Open each of these file type with care.","https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware https://isc.sans.edu/forums/diary/Malicious+tar+Attachments/24496/","https://otx.alienvault.com/indicator/file/e31107cce2aa0dcf8b8c064efeacad5508c69d29"
"theme","Phishing | Double Click","Windows","THEME files are used by Windows machines to customize desktop themes. They have been previously used by attackers to steal credentials because they often bypass antivirus detection.","Block the download and execution of THEME files.","https://www.bleepingcomputer.com/news/microsoft/windows-10-themes-can-be-abused-to-steal-windows-passwords/"
"themepack","Phishing | Double Click","Windows","THEMEPACK files are used by Windows machines to customize desktop themes. They have been previously used by attackers to steal credentials because they often bypass antivirus detection.","Block the download and execution of THEMEPACK files.","https://www.bleepingcomputer.com/news/microsoft/windows-10-themes-can-be-abused-to-steal-windows-passwords/"
"timer","Executable","Linux","Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services.","Monitor the use of .timer files","https://attack.mitre.org/techniques/T1053/006/"
"url","Phishing | Double Click","Windows","URL files are shortcuts for the browser and can be used to open a URL. Just like LNKs. URL files can include an icon to display for the file and that can be leveraged for NetNTLM hash harvesting.","“DisableThumbnailsOnNetworkFolders” and “DisableThumbnails” group policy settings.","https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/ https://cofense.com/latest-software-functionality-abuse-url-internet-shortcut-files-abused-deliver-malware/"
"uue","Phishing | Double Click | File Archiver","Windows","UUE file extension converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications. Normally is distributed via email with .zip or similar files inside. APT-C-36 has used this technique.","Show extensions and open with compression software. Monitor UUE files that are delivered as email attachments","https://cofense.com/nanocore-variant-delivered-uue-files/","https://www.virustotal.com/gui/file/0fabd3ac7b664d5354c67578609eef24e157eadb64eee56866883ed92fc5153a/detection https://www.virustotal.com/gui/file/cd3569e737597342cfd6a33a597f23767dcd07208661826811ad433e0736960b/detection https://www.virustotal.com/gui/file/dfefcec1eb7e60582c9993879a6ac275d8bc0905e19fbf60f0ca5da7222c6a62/detection"
"vb","Executable | Script","Windows","VB or Visual Basic is a script written in VBScript. It can be used to execute code on the machine.","Block the execution of all VB files.","https://isc.sans.edu/forums/diary/Quick+Malicious+VBS+Analysis/25430/"
"vbe","Executable | Script | Double Click","Windows","VBE or Visual Basic Encoded Script is a script written in VBScript. It can be used to execute code on the machine.","Block the execution of all VBE files. Alternatively change the default application for VBE files to a text editor such as Notepad.","https://securelist.com/wave-of-vbe-files-leading-to-financial-fraud/71753/"
"vbs","Executable | Script | Double Click","Windows",
"vhd","File Archiver","Windows","VBS or Visual Basic Script is a script written in VBScript. It can be used to execute code on the machine.","Block the execution of all VBS files. Alternatively change the default application for VBS files to a text editor such as Notepad."
"vhdx","File Archiver","Windows","A VHD or Virtual Hard Disk extension is a disk image file format which stores the content of a virtual machine.","Block VHD files that are delivered through email.","https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/"
"wbk","Phishing | Double Click | Macros","Windows","WBK is a Microsoft Word Backup Document. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from Word's settings.","https://www.hybrid-analysis.com/sample/bb0ffc8cd1fc4d83510ae0f5d6de5fa471c49067dd4479307ef5321883660b6f/5e9f3622f76b203f855a418c"
"website","Phishing | Double Click","Windows","WEBSITE is an Internet Explorer Pinned Site Shortcut which is similiar to URL files.","Block the download and execution of WEBSITE files.","https://cofense.com/latest-software-functionality-abuse-url-internet-shortcut-files-abused-deliver-malware/"
"wim","Phishing | Executable | File Archiver","Windows","The Windows Imaging Format (WIM) is a file-based disk image format. It was developed by Microsoft to help deploy Windows Vista and subsequent versions of the Windows operating system family as well as Windows Fundamentals for Legacy PCs. WIM file may includes several images. With PowerISO you can open an WIM file and extract files from the WIM file. These image file types can contain malicious executables.","Common email providers do not block wim attachments but there is little legitimate need for them to be delivered through mail. Block the attachments via email gateway. Also open any of these file types with care as they can contain malicious executable files.","https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/","https://www.virustotal.com/gui/file/3a1c7d46f9311ccc1222fb1a7309bdeabdd8a337bdf165a83cd03311a16d4389/detection"
"wiz","Phishing","Windows | Mac","WIZ or Microsoft Wizard File are used by the Microsoft Office suite.","Disable macros via GPO and whitelist the users that are permitted to run macros.","https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/spam-campaign-delivers-malware-via-wiz-targets-banks"
"ws","Executable | Script","Windows","WS or Windows Script file contains scripting languages such as JScript.","Block the download and execution of WS files.","https://www.bleepingcomputer.com/news/security/new-wsh-rat-malware-targets-bank-customers-with-keyloggers/"
"wsf","Executable | Script | Double Click","Windows","WSF is a Windows Script file that contains scripting languages such as JScript.","Block the download and execution of all WSF files. Alternatively change the default application for WSH files to a text editor such as Notepad.","https://bestsecuritysearch.com/malicious-wsf-files-zip-archives-malware/"
"wsh","Executable | Script | Double Click","Windows","WSH is a Windows Script file that contains scripting languages such as JScript.","Block the download and execution of all WSH files. Alternatively change the default application for WSH files to a text editor such as Notepad.","https://www.bleepingcomputer.com/news/security/new-wsh-rat-malware-targets-bank-customers-with-keyloggers/"
"xlam","Executable | Phishing | Doubleclick | Macros","Windows | Mac","A file with the XLAM file extension is an Excel Macro-Enabled Add-In file that's used to add new functions to Excel. Similar to other spreadsheet file formats. XLAM files contain cells that are divided into rows and columns that can contain text & formulas & charts & images & and more. Like Excel's XLSM and XLSX file formats. XLAM files are XML-based and saved with ZIP compression to reduce the overall size. Along with cybercrime groups. APTs like transparent tribe have been found leveraging .xlam file types to target their victims.","Manage trusted locations (to an absolute minimum) and monitor remaining. Disable macros via GPO and whitelist the users that are permitted to run macros. For end-users turn off macros from Excel's settings.","https://outflank.nl/blog/2021/12/09/a-phishing-document-signed-by-microsoft https://bazaar.abuse.ch/browse/tag/xlam/ https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html","https://www.virustotal.com/gui/file/53e060dbb6507e8e7bc6642db1afe14e91c82083e82cba85e54ed06a9a08485f"
"xll","Executable | Phishing | Double Click","Windows","XLL or Excel Add-In are DLLs (PE files) that are loaded into Excel to add powerful features. Once loaded the DLL code will be executed and may content malicious actions.","Break the link between the file extension and Excel in the registry (ex: open the file with Notepad instead)","https://isc.sans.edu/forums/diary/Downloader+Disguised+as+Excel+AddIn+XLL/28052/","https://bazaar.abuse.ch/sample/f00154ced8148e4866340673268f47b9b41b53925410e6e45ba75140652dfcaf/"
"xlm","Phishing | Double Click | Macros","Windows | Mac","XLM is a Microsoft Macro-Enabled Workbook file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from Excel's settings.","https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/"
"xls","Phishing | Double Click | Macros","Windows | Mac","XLS is a Microsoft Workbook file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from Excel's settings.","https://www.fortinet.com/blog/threat-research/microsoft-excel-files-increasingly-used-to-spread-malware"
"xlsb","Phishing | Double Click | Macros","Windows | Mac","XLSB or Excel Binary Spreadsheet is an uncompressed binary Excel file. Similarly to XLS files. It can contain malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from Excel's settings.","https://malware.news/t/xlsb-analyzing-a-microsoft-excel-binary-spreadsheet/46442 https://www.hornetsecurity.com/en/threat-research/qakbot-distributed-by-xlsb-files/","https://www.joesandbox.com/analysis/445525/0/html"
"xlsm","Phishing | Double Click | Macros","Windows | Mac","XLSM is a Microsoft Macro-Enabled Workbook file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from Excel's settings.","https://www.fortinet.com/blog/threat-research/microsoft-excel-files-increasingly-used-to-spread-malware"
"xlt","Phishing | Double Click | Macros","Windows | Mac","XLT is a Microsoft Workbook template file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from Excel's settings.","https://www.fortinet.com/blog/threat-research/microsoft-excel-files-increasingly-used-to-spread-malware"
"xltm","Phishing | Double Click | Macros","Windows | Mac","XLTM is a Microsoft Macro-Enabled Workbook template file. It can be used to execute malicious macros.","Disable macros via GPO and whitelist the users that are permitted to run macros. For end users turn off macros from Excel's settings.","https://www.fortinet.com/blog/threat-research/microsoft-excel-files-increasingly-used-to-spread-malware"
"xps","Phishing | Double Click","Windows","XPS files are Microsoft's version of PDF files. They are opened by default with Microsoft's XPS Viewer. Attackers have recently been seen delivering malicious XPS files as an alternative to PDF files.","Monitor XPS files that are delivered as email attachments.","https://isc.sans.edu/forums/diary/XPS+Attachment+Used+for+Phishing/23794/ https://infinityns.ca/attacks-evolving-phishing-via-xps-files/","https://www.joesandbox.com/analysis/67065/0/html"
"xsl","Script","Windows","XSL or XML StyleSheet files are styling files but can be dangerous because they allow scripting languages such as JScript to be embedded.","Block the execution of XSL files. Alternatively monitor the execution of XSL files."
"xz","Phishing | File Archiver","Windows | Linux","An XZ file is an archive compressed using XZ compression. A high-ratio compression algorithm based on the LZMA algorithm. It contains one or more files compressed by the xz command-line tool included with XZ Utils. Much like a .ZIP file an XZ file contains files that have been compressed so they can be stored and shared with others more easily. Users often use XZ files to share compressed files over the Internet or via email and on USB drives. Similar to other archive types .xz file types can act as carriers of malicious files.","After validating business usage. Monitor & block the download and execution of .xz archive files on email & web gateways and endpoints . Whitelist as required.","https://twitter.com/malware_traffic/status/965738625404153856?lang=en","https://www.virustotal.com/gui/file/0c7dffe3685b1b50182b3692243caa9f91443b0560dfe5165316632f70d878e2/details"
"z","Phishing | File Archiver","Windows | Linux","Compressed file used to store or pack files on Unix-based machines; incorporates a simple compression algorithm that is used to archive files and save disk space; can be decompressed on a Unix system by typing uncompress filename.z where filename.z is the name of the file to decompress. Z files have mostly been replaced by GNUzip compression which creates .GZ files. Unix users can use the znew utility to recompress Z files to GZ files. These archive filetypes can be leveraged to distribute malicious files.","After validating business usage. Block the download and execution of Z archive files on email & web gateways or endpoints and whitelist as required.","https://www.trendmicro.com/en_in/research/18/j/same-old-yet-brand-new-new-file-types-emerge-in-malware-spam-attachments.html","a22ede52f14be480dd478fa0aec955b807e4b91a14fbe1b5d46c07bbb5cacccbb - .Z file attachment"
"zip","Phishing | Double Click | File Archiver","Windows | Mac | Linux","ZIP files are archived files having multiple files inside. It also compresses the files inside. It is often used by attackers to deliver malware.","Monitor ZIP files that are delivered as email attachments. Especially if they are encrypted.","https://www.bleepingcomputer.com/news/security/specially-crafted-zip-files-used-to-bypass-secure-email-gateways/","https://www.joesecurity.org/reports/report-affeafe0002e6aa7f0d03822e3c6fca3.html"