Unexpected Internal Process Name
Detects instances where the powershell process is renamed to notepad for defense evasion. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Unexpected Internal Process Name
2id: a6d26b45-14ea-4ee0-901c-3aefc384d3c9
3status: experimental
4description: |
5 Detects instances where the powershell process is renamed to notepad for defense evasion.
6 Part of the RedCanary 2024 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2024/03/21
11tags:
12 - attack.defense_evasion
13 - attack.t1036
14 - attack.t1036.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\notepad.exe'
21 OriginalFileName: 'powershell.exe'
22 condition: selection
23falsepositives:
24 - Unknown
25level: low```
References
-
Adversaries rename system utilities to circumvent security controls and bypass detection logic dependent on process names and process paths.
Read More
Related rules
- Processes Executing with Unusual Command Lines
- Potential Homoglyph Attack Using Lookalike Characters
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Command or Scripting Interpreter Creating EXE File
- File Creation of Executables in Temp Folders (Event 4663)