Unexpected Internal Process Name
Looks for the execution of powershell renamed as Notepad.exe. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Unexpected Internal Process Name
2id: a01d910a-d31d-4d1f-98ce-3dedd301a605
3status: experimental
4description: Looks for the execution of powershell renamed as Notepad.exe. Inspired
5 by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13 - attack.t1036.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Description|startswith:
20 - 'Windows Powershell'
21 - 'pwsh'
22 Image|endswith: '\notepad.exe'
23 OriginalFileName: 'powershell.exe'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high```
References
-
Adversaries rename system utilities to circumvent security controls and bypass detection logic dependent on process names and process paths.
Read More
Related rules
- Process Executing with Unusual Command Lines
- Process Executing with Unusual Command Lines
- Svchost Not Matching Normal Execution Parameters
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components