From ced93a8d170e80984da789df820e07104f2df9bf Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Thu, 17 Apr 2025 04:24:23 +0545 Subject: [PATCH] Merge PR #5264 from @swachchhanda000 - Update `Potential Binary Impersonating Sysinternals Tools` update: Potential Binary Impersonating Sysinternals Tools - Add list of binaries compiled for Arm64 arch added --------- Co-authored-by: Nasreddine Bencherchali Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- ...on_win_sysinternals_tools_masquerading.yml | 80 +++++++++++++++++-- 1 file changed, 72 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml index 7fad5eb50..431b74b62 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml @@ -1,17 +1,21 @@ title: Potential Binary Impersonating Sysinternals Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: test -description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection +description: | + Detects binaries that use the same name as legitimate sysinternals tools to evade detection. + This rule looks for the execution of binaries that are named similarly to Sysinternals tools. + Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite -author: frack113 +author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2021-12-20 -modified: 2022-12-08 +modified: 2025-04-12 tags: - attack.execution - attack.defense-evasion - attack.t1218 - attack.t1202 + - attack.t1036.005 logsource: category: process_creation product: windows @@ -126,6 +130,7 @@ detection: - '\pssuspend.exe' - '\pssuspend64.exe' - '\RAMMap.exe' + - '\RAMMap64.exe' - '\RDCMan.exe' - '\RegDelNull.exe' - '\RegDelNull64.exe' @@ -163,13 +168,72 @@ detection: - '\Winobj64.exe' - '\ZoomIt.exe' - '\ZoomIt64.exe' + selection_arm64: + Image|endswith: + - '\accesschk64a.exe' + - '\ADExplorer64a.exe' + - '\ADInsight64a.exe' + - '\adrestore64a.exe' + - '\Autologon64a.exe' + - '\Autoruns64a.exe' + - '\autorunsc64a.exe' + - '\Clockres64a.exe' + - '\Contig64a.exe' + - '\Coreinfo64a.exe' + - '\Dbgview64a.exe' + - '\disk2vhd64a.exe' + - '\diskext64a.exe' + - '\DiskView64a.exe' + - '\du64a.exe' + - '\FindLinks64a.exe' + - '\handle64a.exe' + - '\hex2dec64a.exe' + - '\junction64a.exe' + - '\LoadOrd64a.exe' + - '\LoadOrdC64a.exe' + - '\logonsessions64a.exe' + - '\movefile64a.exe' + - '\notmyfault64a.exe' + - '\notmyfaultc64a.exe' + - '\pendmoves64a.exe' + - '\pipelist64a.exe' + - '\procdump64a.exe' + - '\procexp64a.exe' + - '\Procmon64a.exe' + - '\PsExec64a.exe' + - '\psfile64a.exe' + - '\PsGetsid64a.exe' + - '\PsInfo64a.exe' + - '\pskill64a.exe' + - '\psloglist64a.exe' + - '\pspasswd64a.exe' + - '\psping64a.exe' + - '\PsService64a.exe' + - '\pssuspend64a.exe' + - '\RAMMap64a.exe' + - '\RegDelNull64a.exe' + - '\ru64a.exe' + - '\sdelete64a.exe' + - '\sigcheck64a.exe' + - '\streams64a.exe' + - '\strings64a.exe' + - '\sync64a.exe' + - '\Sysmon64a.exe' + - '\tcpvcon64a.exe' + - '\tcpview64a.exe' + - '\vmmap64a.exe' + - '\whois64a.exe' + - '\Winobj64a.exe' + - '\ZoomIt64a.exe' filter_valid: - Company: - - 'Sysinternals - www.sysinternals.com' - - 'Sysinternals' + - Company: + - 'Sysinternals - www.sysinternals.com' + - 'Sysinternals' + - Product|startswith: 'Sysinternals' filter_empty: - Company: null - condition: selection_exe and not 1 of filter* + - Company: null + - Product: null + condition: 1 of selection_* and not 1 of filter_* falsepositives: - Unknown level: medium