Potential Defense Evasion Via Binary Rename

 1title: Potential Defense Evasion Via Binary Rename
 2id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
 3related:
 4    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
 5      type: similar
 6status: test
 7description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
 8references:
 9    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
10    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
11    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
12    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
13author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
14date: 2019-06-15
15modified: 2025-07-15
16tags:
17    - attack.defense-evasion
18    - attack.t1036.003
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        OriginalFileName:
25            - 'Cmd.Exe'
26            - 'CONHOST.EXE'
27            - '7z.exe'
28            - '7za.exe'
29            - 'WinRAR.exe'
30            - 'wevtutil.exe'
31            - 'net.exe'
32            - 'net1.exe'
33            - 'netsh.exe'
34            - 'InstallUtil.exe'
35    filter:
36        Image|endswith:
37            - '\cmd.exe'
38            - '\conhost.exe'
39            - '\7z.exe'
40            - '\7za.exe'
41            - '\WinRAR.exe'
42            - '\wevtutil.exe'
43            - '\net.exe'
44            - '\net1.exe'
45            - '\netsh.exe'
46            - '\InstallUtil.exe'
47    condition: selection and not filter
48falsepositives:
49    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
50level: medium

References

• https://dfir.au/posts/2019/binaryrename/

  
  Read More

• https://dfir.au/posts/2019/binaryrename2/

  
  Read More

• atomic-red-team/atomics/T1036.003/T1036.003.md at 0f229c0e42bfe7ca736a14023836d65baa941ed2 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• When Installers Turn Evil: The Pascal Script Behind Inno Setup Malware Campaign | Splunk

  

  Uncover the Inno Setup malware campaign leveraging Pascal scripting to deliver RedLine Stealer.

  
  Read More

Related rules

• Suspicious Download From File-Sharing Website Via Bitsadmin
• Remote Access Tool - Renamed MeshAgent Execution - MacOS
• Remote Access Tool - Renamed MeshAgent Execution - Windows
• Renamed Powershell Under Powershell Channel
• Renamed BrowserCore.EXE Execution