Unexpected Internal Process Name (RedCanary Threat Detection Report)
Detects powershell processes renamed to notepad.exe. This is a narrow example for demonstration purposes only. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Unexpected Internal Process Name (RedCanary Threat Detection Report)
2id: e930ba8f-388a-4436-8326-4ffb1c52b111
3status: experimental
4description: |
5 Detects powershell processes renamed to notepad.exe. This is a narrow example for
6 demonstration purposes only. Part of the RedCanary 2023 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12 - attack.defense_evasion
13 - attack.t1036.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\notepad.exe'
20 OriginalFileName: 'PowerShell.EXE'
21 condition: selection
22falsepositives:
23 - Unknown
24level: low```
References
-
Adversaries rename system utilities to circumvent security controls and bypass detection logic dependent on process names and process paths.
Read More
Related rules
- Potential Homoglyph Attack Using Lookalike Characters
- Processes Executing with Unusual Command Lines (RedCanary Threat Detection Report)
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Command or Scripting Interpreter Creating EXE File
- File Creation of Executables in Temp Folders (Event 4663)