From 7d437c29694435ca79d92b0b8162c0e043ff89b5 Mon Sep 17 00:00:00 2001
From: Andreas Hunkeler <karneades@protonmail.com>
Date: Mon, 20 Apr 2020 17:12:25 +0200
Subject: [PATCH] Add netsh to renamed binary rule

---
 rules/windows/process_creation/win_renamed_binary.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml
index bcac5d58c..7d50a9054 100644
--- a/rules/windows/process_creation/win_renamed_binary.yml
+++ b/rules/windows/process_creation/win_renamed_binary.yml
@@ -2,7 +2,7 @@ title: Renamed Binary
 id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
 status: experimental
 description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
-author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)
+author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
 date: 2019/06/15
 modified: 2019/11/11
 references:
@@ -37,6 +37,7 @@ detection:
             - 'wevtutil.exe'
             - 'net.exe'
             - 'net1.exe'
+            - 'netsh.exe'
     filter:
         Image|endswith:
             - '\cmd.exe'
@@ -58,6 +59,7 @@ detection:
             - '\wevtutil.exe'
             - '\net.exe'
             - '\net1.exe'
+            - '\netsh.exe'
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist