Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Sigma rule (View on GitHub)

 1title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
 2id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
 3related:
 4    - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
 5      type: similar
 6    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
 7      type: derived
 8    - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
 9      type: obsolete
10    - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
11      type: obsolete
12    - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
13      type: obsolete
14status: test
15description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
16references:
17    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
18    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
19    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
20    - https://twitter.com/christophetd/status/1164506034720952320
21    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
22author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
23date: 2019-06-15
24modified: 2024-12-03
25tags:
26    - attack.defense-evasion
27    - attack.t1036.003
28    - car.2013-05-009
29logsource:
30    category: process_creation
31    product: windows
32detection:
33    selection:
34        - Description: 'Execute processes remotely'
35        - Product: 'Sysinternals PsExec'
36        - Description|startswith:
37              - 'Windows PowerShell'
38              - 'pwsh'
39        - OriginalFileName:
40              - 'certutil.exe'
41              - 'cmstp.exe'
42              - 'cscript.exe'
43              - 'IE4UINIT.EXE'
44              - 'mshta.exe'
45              - 'msiexec.exe'
46              - 'msxsl.exe'
47              - 'powershell_ise.exe'
48              - 'powershell.exe'
49              - 'psexec.c'        # old versions of psexec (2016 seen)
50              - 'psexec.exe'
51              - 'psexesvc.exe'
52              - 'pwsh.dll'
53              - 'reg.exe'
54              - 'regsvr32.exe'
55              - 'rundll32.exe'
56              - 'WerMgr'
57              - 'wmic.exe'
58              - 'wscript.exe'
59    filter:
60        Image|endswith:
61            - '\certutil.exe'
62            - '\cmstp.exe'
63            - '\cscript.exe'
64            - '\ie4uinit.exe'
65            - '\mshta.exe'
66            - '\msiexec.exe'
67            - '\msxsl.exe'
68            - '\powershell_ise.exe'
69            - '\powershell.exe'
70            - '\psexec.exe'
71            - '\psexec64.exe'
72            - '\PSEXESVC.exe'
73            - '\pwsh.exe'
74            - '\reg.exe'
75            - '\regsvr32.exe'
76            - '\rundll32.exe'
77            - '\wermgr.exe'
78            - '\wmic.exe'
79            - '\wscript.exe'
80    condition: selection and not filter
81falsepositives:
82    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
83    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
84level: high

References

Related rules

to-top