Renamed Autohotkey Binary
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Sigma rule (View on GitHub)
1title: Renamed Autohotkey Binary
2id: 141c8cd8-ef88-45c4-8891-ea41a72d3d17
3status: experimental
4description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
5references:
6 - https://attack.mitre.org/techniques/T1036/
7 - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
8author: TheDFIRReport
9date: 2023-02-05
10tags:
11 - attack.defense-evasion
12 - attack.t1036.003
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_v1:
18 OriginalFileName: 'AutoHotkey.exe'
19 selection_v2:
20 Product|contains: 'AutoHotkey'
21 filter:
22 Image|endswith:
23 - '\AutoHotkey.exe'
24 - '\AutoHotkeyA32.exe'
25 - '\AutoHotkeyU32.exe'
26 - '\AutoHotkeyU64.exe'
27 - '\AutoHotkey32.exe'
28 - '\AutoHotkey64.exe'
29 - '\AutoHotkey32_UIA.exe'
30 - '\AutoHotkey64_UIA.exe'
31 condition: 1 of selection_* and not filter
32falsepositives:
33 - Unknown
34level: medium
References
-
G1030 Agrius Agrius used the Plink tool for tunneling and connections to remote machines, renaming it systems.exe in some instances.[2] S0622 AppleSeed AppleSeed can disguise JavaScript files as PD...
Read More -
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command a…
Read More
Related rules
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- Suspicious Download From File-Sharing Website Via Bitsadmin
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File Download Via Bitsadmin To An Uncommon Target Folder