From da2d06fa37d2a8f00a26950efce7e80f21953d3b Mon Sep 17 00:00:00 2001
From: Micah Babinski <mbabinski@zyston.com>
Date: Mon, 12 Dec 2022 07:28:57 -0800
Subject: [PATCH] Added suspicious rcedit rule.

---
 .../proc_creation_susp_rcedit_execution.yml   | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml

diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml
new file mode 100644
index 000000000..772917603
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml
@@ -0,0 +1,37 @@
+title: Suspicious Use of rcedit utility
+id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
+status: experimental
+description: Detects the suspicious child use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
+references:
+    - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
+    - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
+    - https://github.com/electron/rcedit
+author: Micah Babinski
+date: 2022/12/11
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
+    - attack.t1036
+    - attack.t1027.005
+    - attack.t1027
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image|endswith:
+            - '\rcedit-x64.exe'
+            - '\rcedit-x86.exe'
+        CommandLine|contains: '--set-resource-string'
+    selection2:
+        CommandLine|contains:
+            - 'OriginalFileName'
+            - 'CompanyName'
+            - 'FileDescription'
+            - 'ProductName'
+            - 'ProductVersion'
+            - 'LegalCopyright'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: high