Potential Binary Impersonating Sysinternals Tools

calendar Oct 17, 2023 · attack.execution attack.defense_evasion attack.t1218 attack.t1202  ·
Share on: linkedin copy

Detects binaries that use the same name as legitimate sysinternals tools to evade detection

Sigma rule (View on GitHub)

  1title: Potential Binary Impersonating Sysinternals Tools
  2id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
  3status: test
  4description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection
  5references:
  6    - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
  7author: frack113
  8date: 2021/12/20
  9modified: 2022/12/08
 10tags:
 11    - attack.execution
 12    - attack.defense_evasion
 13    - attack.t1218
 14    - attack.t1202
 15logsource:
 16    category: process_creation
 17    product: windows
 18detection:
 19    selection_exe:
 20        Image|endswith:
 21            - '\accesschk.exe'
 22            - '\accesschk64.exe'
 23            - '\AccessEnum.exe'
 24            - '\ADExplorer.exe'
 25            - '\ADExplorer64.exe'
 26            - '\ADInsight.exe'
 27            - '\ADInsight64.exe'
 28            - '\adrestore.exe'
 29            - '\adrestore64.exe'
 30            - '\Autologon.exe'
 31            - '\Autologon64.exe'
 32            - '\Autoruns.exe'
 33            - '\Autoruns64.exe'
 34            - '\autorunsc.exe'
 35            - '\autorunsc64.exe'
 36            - '\Bginfo.exe'
 37            - '\Bginfo64.exe'
 38            - '\Cacheset.exe'
 39            - '\Cacheset64.exe'
 40            - '\Clockres.exe'
 41            - '\Clockres64.exe'
 42            - '\Contig.exe'
 43            - '\Contig64.exe'
 44            - '\Coreinfo.exe'
 45            - '\Coreinfo64.exe'
 46            - '\CPUSTRES.EXE'
 47            - '\CPUSTRES64.EXE'
 48            - '\ctrl2cap.exe'
 49            - '\Dbgview.exe'
 50            - '\dbgview64.exe'
 51            - '\Desktops.exe'
 52            - '\Desktops64.exe'
 53            - '\disk2vhd.exe'
 54            - '\disk2vhd64.exe'
 55            - '\diskext.exe'
 56            - '\diskext64.exe'
 57            - '\Diskmon.exe'
 58            - '\Diskmon64.exe'
 59            - '\DiskView.exe'
 60            - '\DiskView64.exe'
 61            - '\du.exe'
 62            - '\du64.exe'
 63            - '\efsdump.exe'
 64            - '\FindLinks.exe'
 65            - '\FindLinks64.exe'
 66            - '\handle.exe'
 67            - '\handle64.exe'
 68            - '\hex2dec.exe'
 69            - '\hex2dec64.exe'
 70            - '\junction.exe'
 71            - '\junction64.exe'
 72            - '\ldmdump.exe'
 73            - '\listdlls.exe'
 74            - '\listdlls64.exe'
 75            - '\livekd.exe'
 76            - '\livekd64.exe'
 77            - '\loadOrd.exe'
 78            - '\loadOrd64.exe'
 79            - '\loadOrdC.exe'
 80            - '\loadOrdC64.exe'
 81            - '\logonsessions.exe'
 82            - '\logonsessions64.exe'
 83            - '\movefile.exe'
 84            - '\movefile64.exe'
 85            - '\notmyfault.exe'
 86            - '\notmyfault64.exe'
 87            - '\notmyfaultc.exe'
 88            - '\notmyfaultc64.exe'
 89            - '\ntfsinfo.exe'
 90            - '\ntfsinfo64.exe'
 91            - '\pendmoves.exe'
 92            - '\pendmoves64.exe'
 93            - '\pipelist.exe'
 94            - '\pipelist64.exe'
 95            - '\portmon.exe'
 96            - '\procdump.exe'
 97            - '\procdump64.exe'
 98            - '\procexp.exe'
 99            - '\procexp64.exe'
100            - '\Procmon.exe'
101            - '\Procmon64.exe'
102            - '\psExec.exe'
103            - '\psExec64.exe'
104            - '\psfile.exe'
105            - '\psfile64.exe'
106            - '\psGetsid.exe'
107            - '\psGetsid64.exe'
108            - '\psInfo.exe'
109            - '\psInfo64.exe'
110            - '\pskill.exe'
111            - '\pskill64.exe'
112            - '\pslist.exe'
113            - '\pslist64.exe'
114            - '\psLoggedon.exe'
115            - '\psLoggedon64.exe'
116            - '\psloglist.exe'
117            - '\psloglist64.exe'
118            - '\pspasswd.exe'
119            - '\pspasswd64.exe'
120            - '\psping.exe'
121            - '\psping64.exe'
122            - '\psService.exe'
123            - '\psService64.exe'
124            - '\psshutdown.exe'
125            - '\psshutdown64.exe'
126            - '\pssuspend.exe'
127            - '\pssuspend64.exe'
128            - '\RAMMap.exe'
129            - '\RDCMan.exe'
130            - '\RegDelNull.exe'
131            - '\RegDelNull64.exe'
132            - '\regjump.exe'
133            - '\ru.exe'
134            - '\ru64.exe'
135            - '\sdelete.exe'
136            - '\sdelete64.exe'
137            - '\ShareEnum.exe'
138            - '\ShareEnum64.exe'
139            - '\shellRunas.exe'
140            - '\sigcheck.exe'
141            - '\sigcheck64.exe'
142            - '\streams.exe'
143            - '\streams64.exe'
144            - '\strings.exe'
145            - '\strings64.exe'
146            - '\sync.exe'
147            - '\sync64.exe'
148            - '\Sysmon.exe'
149            - '\Sysmon64.exe'
150            - '\tcpvcon.exe'
151            - '\tcpvcon64.exe'
152            - '\tcpview.exe'
153            - '\tcpview64.exe'
154            - '\Testlimit.exe'
155            - '\Testlimit64.exe'
156            - '\vmmap.exe'
157            - '\vmmap64.exe'
158            - '\Volumeid.exe'
159            - '\Volumeid64.exe'
160            - '\whois.exe'
161            - '\whois64.exe'
162            - '\Winobj.exe'
163            - '\Winobj64.exe'
164            - '\ZoomIt.exe'
165            - '\ZoomIt64.exe'
166    filter_valid:
167        Company:
168            - 'Sysinternals - www.sysinternals.com'
169            - 'Sysinternals'
170    filter_empty:
171        Company: null
172    condition: selection_exe and not 1 of filter*
173falsepositives:
174    - Unknown
175level: medium

References

Related rules

to-top