Potential Defense Evasion Via Binary Rename

 1title: Potential Defense Evasion Via Binary Rename
 2id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
 3related:
 4    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
 5      type: similar
 6status: test
 7description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
 8references:
 9    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
10    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
11    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
12author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
13date: 2019/06/15
14modified: 2023/01/18
15tags:
16    - attack.defense_evasion
17    - attack.t1036.003
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        OriginalFileName:
24            - 'Cmd.Exe'
25            - 'CONHOST.EXE'
26            - '7z.exe'
27            - 'WinRAR.exe'
28            - 'wevtutil.exe'
29            - 'net.exe'
30            - 'net1.exe'
31            - 'netsh.exe'
32            - 'InstallUtil.exe'
33    filter:
34        Image|endswith:
35            - '\cmd.exe'
36            - '\conhost.exe'
37            - '\7z.exe'
38            - '\WinRAR.exe'
39            - '\wevtutil.exe'
40            - '\net.exe'
41            - '\net1.exe'
42            - '\netsh.exe'
43            - '\InstallUtil.exe'
44    condition: selection and not filter
45falsepositives:
46    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
47level: medium

References

• Blue Team Hacks - Binary Rename

  

  A blog for DFIR thoughts, research and for my future reference

  
  Read More

• Binary Rename 2

  

  A blog for DFIR thoughts, research and for my future reference

  
  Read More

• atomic-red-team/atomics/T1036.003/T1036.003.md at 0f229c0e42bfe7ca736a14023836d65baa941ed2 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Ps.exe Renamed SysInternals Tool
• Potential Homoglyph Attack Using Lookalike Characters
• Processes Executing with Unusual Command Lines (RedCanary Threat Detection Report)
• Unexpected Internal Process Name (RedCanary Threat Detection Report)
• Renamed ProcDump Execution