Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Sigma rule (View on GitHub)

 1title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
 2id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
 3related:
 4    - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
 5      type: similar
 6    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
 7      type: derived
 8    - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
 9      type: obsoletes
10    - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
11      type: obsoletes
12    - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
13      type: obsoletes
14status: test
15description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
16references:
17    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
18    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
19    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
20    - https://twitter.com/christophetd/status/1164506034720952320
21    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
22author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
23date: 2019/06/15
24modified: 2023/08/23
25tags:
26    - attack.defense_evasion
27    - attack.t1036.003
28    - car.2013-05-009
29logsource:
30    category: process_creation
31    product: windows
32detection:
33    selection:
34        - Description: 'Execute processes remotely'
35        - Product: 'Sysinternals PsExec'
36        - Description|startswith:
37            - 'Windows PowerShell'
38            - 'pwsh'
39        - OriginalFileName:
40            - 'certutil.exe'
41            - 'cmstp.exe'
42            - 'cscript.exe'
43            - 'mshta.exe'
44            - 'msiexec.exe'
45            - 'powershell_ise.exe'
46            - 'powershell.exe'
47            - 'psexec.c'        # old versions of psexec (2016 seen)
48            - 'psexec.exe'
49            - 'psexesvc.exe'
50            - 'pwsh.dll'
51            - 'reg.exe'
52            - 'regsvr32.exe'
53            - 'rundll32.exe'
54            - 'WerMgr'
55            - 'wmic.exe'
56            - 'wscript.exe'
57    filter:
58        Image|endswith:
59            - '\certutil.exe'
60            - '\cmstp.exe'
61            - '\cscript.exe'
62            - '\mshta.exe'
63            - '\msiexec.exe'
64            - '\powershell_ise.exe'
65            - '\powershell.exe'
66            - '\psexec.exe'
67            - '\psexec64.exe'
68            - '\PSEXESVC.exe'
69            - '\pwsh.exe'
70            - '\reg.exe'
71            - '\regsvr32.exe'
72            - '\rundll32.exe'
73            - '\wermgr.exe'
74            - '\wmic.exe'
75            - '\wscript.exe'
76    condition: selection and not filter
77falsepositives:
78    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
79    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
80level: high

References

Related rules

to-top