Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Sigma rule (View on GitHub)
1title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
2id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
3related:
4 - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
5 type: similar
6 - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
7 type: derived
8 - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
9 type: obsolete
10 - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
11 type: obsolete
12 - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
13 type: obsolete
14status: test
15description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
16references:
17 - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
18 - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
19 - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
20 - https://twitter.com/christophetd/status/1164506034720952320
21 - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
22author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
23date: 2019-06-15
24modified: 2024-12-03
25tags:
26 - attack.defense-evasion
27 - attack.t1036.003
28 - car.2013-05-009
29logsource:
30 category: process_creation
31 product: windows
32detection:
33 selection:
34 - Description: 'Execute processes remotely'
35 - Product: 'Sysinternals PsExec'
36 - Description|startswith:
37 - 'Windows PowerShell'
38 - 'pwsh'
39 - OriginalFileName:
40 - 'certutil.exe'
41 - 'cmstp.exe'
42 - 'cscript.exe'
43 - 'IE4UINIT.EXE'
44 - 'mshta.exe'
45 - 'msiexec.exe'
46 - 'msxsl.exe'
47 - 'powershell_ise.exe'
48 - 'powershell.exe'
49 - 'psexec.c' # old versions of psexec (2016 seen)
50 - 'psexec.exe'
51 - 'psexesvc.exe'
52 - 'pwsh.dll'
53 - 'reg.exe'
54 - 'regsvr32.exe'
55 - 'rundll32.exe'
56 - 'WerMgr'
57 - 'wmic.exe'
58 - 'wscript.exe'
59 filter:
60 Image|endswith:
61 - '\certutil.exe'
62 - '\cmstp.exe'
63 - '\cscript.exe'
64 - '\ie4uinit.exe'
65 - '\mshta.exe'
66 - '\msiexec.exe'
67 - '\msxsl.exe'
68 - '\powershell_ise.exe'
69 - '\powershell.exe'
70 - '\psexec.exe'
71 - '\psexec64.exe'
72 - '\PSEXESVC.exe'
73 - '\pwsh.exe'
74 - '\reg.exe'
75 - '\regsvr32.exe'
76 - '\rundll32.exe'
77 - '\wermgr.exe'
78 - '\wmic.exe'
79 - '\wscript.exe'
80 condition: selection and not filter
81falsepositives:
82 - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
83 - PsExec installed via Windows Store doesn't contain original filename field (False negative)
84level: high
References
Related rules
- Ps.exe Renamed SysInternals Tool
- Suspicious Download From File-Sharing Website Via Bitsadmin
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download Via Bitsadmin To An Uncommon Target Folder