Detectionmediumtest
Potential Defense Evasion Via Binary Rename
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Matthew Green, Ecco, James Pemberton, oscd.community, Andreas HunkelerCreated Sat Jun 15Updated Tue Jul 1536480ae1-a1cb-4eaa-a0d6-29801d7e9142windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
OriginalFileName:
- 'Cmd.Exe'
- 'CONHOST.EXE'
- '7z.exe'
- '7za.exe'
- 'WinRAR.exe'
- 'wevtutil.exe'
- 'net.exe'
- 'net1.exe'
- 'netsh.exe'
- 'InstallUtil.exe'
filter:
Image|endswith:
- '\cmd.exe'
- '\conhost.exe'
- '\7z.exe'
- '\7za.exe'
- '\WinRAR.exe'
- '\wevtutil.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
- '\InstallUtil.exe'
condition: selection and not filterFalse Positives
Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
36480ae1-a1cb-4eaa-a0d6-29801d7e9142
Status
test
Level
medium
Type
Detection
Created
Sat Jun 15
Modified
Tue Jul 15
Path
rules/windows/process_creation/proc_creation_win_renamed_binary.yml
Raw Tags
attack.defense-evasionattack.t1036.003