PUA - Potential PE Metadata Tamper Using Rcedit

calendar Jan 1, 2024 · attack.defense_evasion attack.t1036.003 attack.t1036 attack.t1027.005 attack.t1027  ·
Share on: linkedin copy

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Sigma rule (View on GitHub)

 1title: PUA - Potential PE Metadata Tamper Using Rcedit
 2id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
 3status: test
 4description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
 5references:
 6    - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
 7    - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
 8    - https://github.com/electron/rcedit
 9author: Micah Babinski
10date: 2022/12/11
11modified: 2023/03/05
12tags:
13    - attack.defense_evasion
14    - attack.t1036.003
15    - attack.t1036
16    - attack.t1027.005
17    - attack.t1027
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\rcedit-x64.exe'
25              - '\rcedit-x86.exe'
26        - Description: 'Edit resources of exe'
27        - Product: 'rcedit'
28    selection_flags:
29        CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
30    selection_attributes:
31        CommandLine|contains:
32            - 'OriginalFileName'
33            - 'CompanyName'
34            - 'FileDescription'
35            - 'ProductName'
36            - 'ProductVersion'
37            - 'LegalCopyright'
38    condition: all of selection_*
39falsepositives:
40    - Legitimate use of the tool by administrators or users to update metadata of a binary
41level: medium

References

Related rules

to-top