Merge PR #5264 from @swachchhanda000 - Update Potential Binary Impersonating Sysinternals Tools
update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
This commit is contained in:
Swachchhanda Shrawan Poudel
committed by
GitHub
GitHub
parent
3946f672f0
commit
ced93a8d17
+72
-8
@@ -1,17 +1,21 @@
|
||||
title: Potential Binary Impersonating Sysinternals Tools
|
||||
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
|
||||
status: test
|
||||
description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection
|
||||
description: |
|
||||
Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
|
||||
This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
|
||||
Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
|
||||
references:
|
||||
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
|
||||
author: frack113
|
||||
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
|
||||
date: 2021-12-20
|
||||
modified: 2022-12-08
|
||||
modified: 2025-04-12
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.defense-evasion
|
||||
- attack.t1218
|
||||
- attack.t1202
|
||||
- attack.t1036.005
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@@ -126,6 +130,7 @@ detection:
|
||||
- '\pssuspend.exe'
|
||||
- '\pssuspend64.exe'
|
||||
- '\RAMMap.exe'
|
||||
- '\RAMMap64.exe'
|
||||
- '\RDCMan.exe'
|
||||
- '\RegDelNull.exe'
|
||||
- '\RegDelNull64.exe'
|
||||
@@ -163,13 +168,72 @@ detection:
|
||||
- '\Winobj64.exe'
|
||||
- '\ZoomIt.exe'
|
||||
- '\ZoomIt64.exe'
|
||||
selection_arm64:
|
||||
Image|endswith:
|
||||
- '\accesschk64a.exe'
|
||||
- '\ADExplorer64a.exe'
|
||||
- '\ADInsight64a.exe'
|
||||
- '\adrestore64a.exe'
|
||||
- '\Autologon64a.exe'
|
||||
- '\Autoruns64a.exe'
|
||||
- '\autorunsc64a.exe'
|
||||
- '\Clockres64a.exe'
|
||||
- '\Contig64a.exe'
|
||||
- '\Coreinfo64a.exe'
|
||||
- '\Dbgview64a.exe'
|
||||
- '\disk2vhd64a.exe'
|
||||
- '\diskext64a.exe'
|
||||
- '\DiskView64a.exe'
|
||||
- '\du64a.exe'
|
||||
- '\FindLinks64a.exe'
|
||||
- '\handle64a.exe'
|
||||
- '\hex2dec64a.exe'
|
||||
- '\junction64a.exe'
|
||||
- '\LoadOrd64a.exe'
|
||||
- '\LoadOrdC64a.exe'
|
||||
- '\logonsessions64a.exe'
|
||||
- '\movefile64a.exe'
|
||||
- '\notmyfault64a.exe'
|
||||
- '\notmyfaultc64a.exe'
|
||||
- '\pendmoves64a.exe'
|
||||
- '\pipelist64a.exe'
|
||||
- '\procdump64a.exe'
|
||||
- '\procexp64a.exe'
|
||||
- '\Procmon64a.exe'
|
||||
- '\PsExec64a.exe'
|
||||
- '\psfile64a.exe'
|
||||
- '\PsGetsid64a.exe'
|
||||
- '\PsInfo64a.exe'
|
||||
- '\pskill64a.exe'
|
||||
- '\psloglist64a.exe'
|
||||
- '\pspasswd64a.exe'
|
||||
- '\psping64a.exe'
|
||||
- '\PsService64a.exe'
|
||||
- '\pssuspend64a.exe'
|
||||
- '\RAMMap64a.exe'
|
||||
- '\RegDelNull64a.exe'
|
||||
- '\ru64a.exe'
|
||||
- '\sdelete64a.exe'
|
||||
- '\sigcheck64a.exe'
|
||||
- '\streams64a.exe'
|
||||
- '\strings64a.exe'
|
||||
- '\sync64a.exe'
|
||||
- '\Sysmon64a.exe'
|
||||
- '\tcpvcon64a.exe'
|
||||
- '\tcpview64a.exe'
|
||||
- '\vmmap64a.exe'
|
||||
- '\whois64a.exe'
|
||||
- '\Winobj64a.exe'
|
||||
- '\ZoomIt64a.exe'
|
||||
filter_valid:
|
||||
Company:
|
||||
- 'Sysinternals - www.sysinternals.com'
|
||||
- 'Sysinternals'
|
||||
- Company:
|
||||
- 'Sysinternals - www.sysinternals.com'
|
||||
- 'Sysinternals'
|
||||
- Product|startswith: 'Sysinternals'
|
||||
filter_empty:
|
||||
Company: null
|
||||
condition: selection_exe and not 1 of filter*
|
||||
- Company: null
|
||||
- Product: null
|
||||
condition: 1 of selection_* and not 1 of filter_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
|
||||
Reference in New Issue
Block a user