blue-team-tools/rules/windows/process_creation/proc_creation_win_renamed_binary.yml

title: Potential Defense Evasion Via Binary Rename
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
related:
    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
      type: similar
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-06-15
modified: 2023-01-18
tags:
    - attack.defense-evasion
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName:
            - 'Cmd.Exe'
            - 'CONHOST.EXE'
            - '7z.exe'
            - 'WinRAR.exe'
            - 'wevtutil.exe'
            - 'net.exe'
            - 'net1.exe'
            - 'netsh.exe'
            - 'InstallUtil.exe'
    filter:
        Image|endswith:
            - '\cmd.exe'
            - '\conhost.exe'
            - '\7z.exe'
            - '\WinRAR.exe'
            - '\wevtutil.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netsh.exe'
            - '\InstallUtil.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium