Renamed Autohotkey Binary
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Sigma rule (View on GitHub)
1title: Renamed Autohotkey Binary
2id: 141c8cd8-ef88-45c4-8891-ea41a72d3d17
3status: experimental
4description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
5references:
6 - https://attack.mitre.org/techniques/T1036/
7 - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
8author: TheDFIRReport
9date: 2023/02/05
10
11tags:
12 - attack.defense_evasion
13 - attack.t1036.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_v1:
19 OriginalFileName:
20 - 'AutoHotkey.exe'
21 selection_v2:
22 Product|contains:
23 - 'AutoHotkey'
24 filter:
25 Image|endswith:
26 - '\AutoHotkey.exe'
27 - '\AutoHotkeyA32.exe'
28 - '\AutoHotkeyU32.exe'
29 - '\AutoHotkeyU64.exe'
30 - '\AutoHotkey32.exe'
31 - '\AutoHotkey64.exe'
32 - '\AutoHotkey32_UIA.exe'
33 - '\AutoHotkey64_UIA.exe'
34 condition: 1 of selection_* and not filter
35falsepositives:
36 - Unknown
37level: medium
References
-
S0622 AppleSeed AppleSeed can disguise JavaScript files as PDFs.[2] G0007 APT28 APT28 has renamed the WinRAR utility to avoid detection.[3] G0050 APT32 APT32 has disguised a Cobalt Strike beacon as...
Read More -
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command … Read More
Read More
Related rules
- Suspicious Start-Process PassThru
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Command or Scripting Interpreter Creating EXE File
- File Creation of Executables in Temp Folders (Event 4663)
- Process Creation without .exe File Extension