This detection rule identifies the execution of files that have multiple extensions, such as ".doc.exe" or ".pdf.exe". This behavior is often leveraged by attackers to disguise malicious executables as harmless documents, thereby increasing the chances of user execution. The detection relies on various telemetry sources from Endpoint Detection and Response (EDR) services, focusing on process creation events that indicate a file name containing double extensions. If confirmed to be malicious, this technique could allow unauthorized code execution on the compromised endpoint, leading to potential further attacks or exploitation of the system. The analytic utilizes data sources like Sysmon EventID 1, Windows Event Log Security, and CrowdStrike ProcessRollup2. The implementation requires ingesting process logs with comprehensive details, including process GUID, name, and command-line arguments, aligning them with the Endpoint data model in Splunk. The rule has been effectively structured to minimize false positives, drawing from attack behaviors documented in risk management frameworks and has established drilldown searches for result exploration. References include Malpedia’s documentation on specific malware exploitations.