Detectionhightest

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Matthew Green, Florian Roth (Nextron Systems), François HubautCreated Sat Jun 15Updated Thu Feb 120ba1da6d-b6ce-4366-828c-18826c9de23ewindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Description: 'Execute processes remotely'
        - Product: 'Sysinternals PsExec'
        - Description|startswith:
              - 'Windows PowerShell'
              - 'pwsh'
        - OriginalFileName:
              - 'certutil.exe'
              - 'cmstp.exe'
              - 'cscript.exe'
              - 'IE4UINIT.EXE'
              - 'finger.exe'
              - 'mshta.exe'
              - 'msiexec.exe'
              - 'msxsl.exe'
              - 'powershell_ise.exe'
              - 'powershell.exe'
              - 'psexec.c'        # old versions of psexec (2016 seen)
              - 'psexec.exe'
              - 'psexesvc.exe'
              - 'pwsh.dll'
              - 'reg.exe'
              - 'regsvr32.exe'
              - 'rundll32.exe'
              - 'WerMgr'
              - 'wmic.exe'
              - 'wscript.exe'
    filter:
        Image|endswith:
            - '\certutil.exe'
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\ie4uinit.exe'
            - '\finger.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\msxsl.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\PSEXESVC.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wermgr.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection and not filter

False Positives

Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist

PsExec installed via Windows Store doesn't contain original filename field (False negative)

References

threatresearch.ext.hp.com

Resolving title…

huntress.com

Testing & Validation

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1036.003 · Rename System Utilities

CAR Analytics

2013-05-009 · CAR 2013-05-009

Related Rules

SimilarDetectionmedium

Potential Defense Evasion Via Binary Rename

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Detects similar activity. Both rules may fire on overlapping events.

DerivedDetectionhigh

Potential Renamed Rundll32 Execution

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

This rule was derived from the related rule - both detect similar activity with different scope.

Similar

a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2

Rule not found

Similar

d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20

Rule not found

Similar

d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2

Rule not found

Rule Metadata

Rule ID

0ba1da6d-b6ce-4366-828c-18826c9de23e

Status

test

Level

high

Type

Detection

Created

Sat Jun 15

Modified

Thu Feb 12

Author

Matthew Green, Florian Roth (Nextron Systems), François Hubaut

Path

rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml

Raw Tags

attack.defense-evasionattack.t1036.003car.2013-05-009

View on GitHub