rules/windows/process_creation/proc_creation_win_renamed_binary.yml

title: Renamed Binary
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
references:
  - https://attack.mitre.org/techniques/T1036/
  - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
  - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
date: 2019/06/15
modified: 2021/12/01
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    OriginalFileName:
      - 'cmd.exe'
      - 'CONHOST.EXE'
      - 'powershell.exe'
      - 'powershell_ise.exe'
      - 'psexec.exe'
      - 'psexec.c'        # old versions of psexec (2016 seen)
      - 'cscript.exe'
      - 'wscript.exe'
      - 'mshta.exe'
      - 'regsvr32.exe'
      - 'wmic.exe'
      - 'certutil.exe'
      - 'rundll32.exe'
      - 'cmstp.exe'
      - 'msiexec.exe'
      - '7z.exe'
      - 'winrar.exe'
      - 'wevtutil.exe'
      - 'net.exe'
      - 'net1.exe'
      - 'netsh.exe'
  filter:
    Image|endswith:
      - '\cmd.exe'
      - '\conhost.exe'
      - '\powershell.exe'
      - '\powershell_ise.exe'
      - '\psexec.exe'
      - '\psexec64.exe'
      - '\cscript.exe'
      - '\wscript.exe'
      - '\mshta.exe'
      - '\regsvr32.exe'
      - '\wmic.exe'
      - '\certutil.exe'
      - '\rundll32.exe'
      - '\cmstp.exe'
      - '\msiexec.exe'
      - '\7z.exe'
      - '\winrar.exe'
      - '\wevtutil.exe'
      - '\net.exe'
      - '\net1.exe'
      - '\netsh.exe'
  condition: selection and not filter
falsepositives:
  - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium
tags:
  - attack.defense_evasion
  - attack.t1036.003
sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00			`title: Renamed Binary`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
sigma/Add sysmon_renamed_binary 2019-06-15 20:20:52 +10:00			`description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.`
Add netsh to renamed binary rule 2020-04-20 17:12:25 +02:00			`author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)`
sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://attack.mitre.org/techniques/T1036/`
			`- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html`
			`- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html`
			`date: 2019/06/15`
$frack113$ Update win_renamed_binary.yml 2021-12-01 06:54:30 +01:00			`modified: 2021/12/01`
sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`OriginalFileName:`
			`- 'cmd.exe'`
Update win_renamed_binary.yml 2021-12-01 15:07:06 +11:00			`- 'CONHOST.EXE'`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- 'powershell.exe'`
			`- 'powershell_ise.exe'`
			`- 'psexec.exe'`
			`- 'psexec.c' # old versions of psexec (2016 seen)`
			`- 'cscript.exe'`
			`- 'wscript.exe'`
			`- 'mshta.exe'`
			`- 'regsvr32.exe'`
			`- 'wmic.exe'`
			`- 'certutil.exe'`
			`- 'rundll32.exe'`
			`- 'cmstp.exe'`
			`- 'msiexec.exe'`
			`- '7z.exe'`
			`- 'winrar.exe'`
			`- 'wevtutil.exe'`
			`- 'net.exe'`
			`- 'net1.exe'`
			`- 'netsh.exe'`
			`filter:`
			`Image\|endswith:`
			`- '\cmd.exe'`
Update win_renamed_binary.yml 2021-12-01 15:07:06 +11:00			`- '\conhost.exe'`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- '\powershell.exe'`
			`- '\powershell_ise.exe'`
			`- '\psexec.exe'`
			`- '\psexec64.exe'`
			`- '\cscript.exe'`
			`- '\wscript.exe'`
			`- '\mshta.exe'`
			`- '\regsvr32.exe'`
			`- '\wmic.exe'`
			`- '\certutil.exe'`
			`- '\rundll32.exe'`
			`- '\cmstp.exe'`
			`- '\msiexec.exe'`
			`- '\7z.exe'`
			`- '\winrar.exe'`
			`- '\wevtutil.exe'`
			`- '\net.exe'`
			`- '\net1.exe'`
			`- '\netsh.exe'`
			`condition: selection and not filter`
sigma/Add sysmon_renamed_binary 2019-06-15 20:19:35 +10:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist`
Adjusted level 2019-06-20 00:03:48 +02:00			`level: medium`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1036.003`