Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Sigma rule (View on GitHub)
1title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
2id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
3related:
4 - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
5 type: similar
6 - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
7 type: derived
8 - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
9 type: obsoletes
10 - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
11 type: obsoletes
12 - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
13 type: obsoletes
14status: test
15description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
16references:
17 - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
18 - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
19 - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
20 - https://twitter.com/christophetd/status/1164506034720952320
21 - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
22author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
23date: 2019/06/15
24modified: 2023/08/23
25tags:
26 - attack.defense_evasion
27 - attack.t1036.003
28 - car.2013-05-009
29logsource:
30 category: process_creation
31 product: windows
32detection:
33 selection:
34 - Description: 'Execute processes remotely'
35 - Product: 'Sysinternals PsExec'
36 - Description|startswith:
37 - 'Windows PowerShell'
38 - 'pwsh'
39 - OriginalFileName:
40 - 'certutil.exe'
41 - 'cmstp.exe'
42 - 'cscript.exe'
43 - 'mshta.exe'
44 - 'msiexec.exe'
45 - 'powershell_ise.exe'
46 - 'powershell.exe'
47 - 'psexec.c' # old versions of psexec (2016 seen)
48 - 'psexec.exe'
49 - 'psexesvc.exe'
50 - 'pwsh.dll'
51 - 'reg.exe'
52 - 'regsvr32.exe'
53 - 'rundll32.exe'
54 - 'WerMgr'
55 - 'wmic.exe'
56 - 'wscript.exe'
57 filter:
58 Image|endswith:
59 - '\certutil.exe'
60 - '\cmstp.exe'
61 - '\cscript.exe'
62 - '\mshta.exe'
63 - '\msiexec.exe'
64 - '\powershell_ise.exe'
65 - '\powershell.exe'
66 - '\psexec.exe'
67 - '\psexec64.exe'
68 - '\PSEXESVC.exe'
69 - '\pwsh.exe'
70 - '\reg.exe'
71 - '\regsvr32.exe'
72 - '\rundll32.exe'
73 - '\wermgr.exe'
74 - '\wmic.exe'
75 - '\wscript.exe'
76 condition: selection and not filter
77falsepositives:
78 - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
79 - PsExec installed via Windows Store doesn't contain original filename field (False negative)
80level: high
References
-
-
-
A new ransomware dubbed MegaCortex has been targeting business networks across the world. The sudden surge in activity was noted by cybersecurity firms and researchers, and further investigation shows how complex this particular ransomware is.
Read More -
-
Don’t let cyber threats get the best of you. Read our post, SVCReady: A New Loader Gets Ready, to learn more about cyber threats and cyber security.
Read More
Related rules
- Ps.exe Renamed SysInternals Tool
- LOL-Binary Copied From System Directory
- Process Memory Dump Via Comsvcs.DLL
- Suspicious Copy From or To System Directory
- Windows Processes Suspicious Parent Directory