Suspicious Use of Rcedit Utility to Alter Executable Metadata

calendar Dec 12, 2022 · attack.defense_evasion attack.t1036.003 attack.t1036 attack.t1027.005 attack.t1027  ·
Share on: linkedin copy

Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Sigma rule (View on GitHub)

 1title: Suspicious Use of Rcedit Utility to Alter Executable Metadata
 2id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
 3status: experimental
 4description: Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
 5references:
 6    - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
 7    - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
 8    - https://github.com/electron/rcedit
 9author: Micah Babinski
10date: 2022/12/11
11tags:
12    - attack.defense_evasion
13    - attack.t1036.003
14    - attack.t1036
15    - attack.t1027.005
16    - attack.t1027
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection1:
22        Image|endswith:
23            - '\rcedit-x64.exe'
24            - '\rcedit-x86.exe'
25        CommandLine|contains: '--set-resource-string'
26    selection2:
27        CommandLine|contains:
28            - 'OriginalFileName'
29            - 'CompanyName'
30            - 'FileDescription'
31            - 'ProductName'
32            - 'ProductVersion'
33            - 'LegalCopyright'
34    condition: selection1 and selection2
35falsepositives:
36    - Unknown
37level: medium

References

Related rules

to-top