Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
related:
- id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
type: similar
- id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
type: derived
- id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
type: obsolete
- id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
type: obsolete
- id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
type: obsolete
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
- https://twitter.com/christophetd/status/1164506034720952320
- https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
- https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
date: 2019-06-15
modified: 2026-02-12
tags:
- attack.defense-evasion
- attack.t1036.003
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Execute processes remotely'
- Product: 'Sysinternals PsExec'
- Description|startswith:
- 'Windows PowerShell'
- 'pwsh'
- OriginalFileName:
- 'certutil.exe'
- 'cmstp.exe'
- 'cscript.exe'
- 'IE4UINIT.EXE'
- 'finger.exe'
- 'mshta.exe'
- 'msiexec.exe'
- 'msxsl.exe'
- 'powershell_ise.exe'
- 'powershell.exe'
- 'psexec.c' # old versions of psexec (2016 seen)
- 'psexec.exe'
- 'psexesvc.exe'
- 'pwsh.dll'
- 'reg.exe'
- 'regsvr32.exe'
- 'rundll32.exe'
- 'WerMgr'
- 'wmic.exe'
- 'wscript.exe'
filter:
Image|endswith:
- '\certutil.exe'
- '\cmstp.exe'
- '\cscript.exe'
- '\ie4uinit.exe'
- '\finger.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\psexec.exe'
- '\psexec64.exe'
- '\PSEXESVC.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wermgr.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
- PsExec installed via Windows Store doesn't contain original filename field (False negative)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml