title: Highly Relevant Renamed Binary
id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
author: Matthew Green - @mgreen27, Florian Roth
references:
  - https://attack.mitre.org/techniques/T1036/
  - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
  - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
date: 2019/06/15
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    OriginalFileName:
      - 'powershell.exe'
      - 'powershell_ise.exe'
      - 'psexec.exe'
      - 'psexec.c'        # old versions of psexec (2016 seen)
      - 'cscript.exe'
      - 'wscript.exe'
      - 'mshta.exe'
      - 'regsvr32.exe'
      - 'wmic.exe'
      - 'certutil.exe'
      - 'rundll32.exe'
      - 'cmstp.exe'
      - 'msiexec.exe'
  filter:
    Image|endswith:
      - '\powershell.exe'
      - '\powershell_ise.exe'
      - '\psexec.exe'
      - '\psexec64.exe'
      - '\cscript.exe'
      - '\wscript.exe'
      - '\mshta.exe'
      - '\regsvr32.exe'
      - '\wmic.exe'
      - '\certutil.exe'
      - '\rundll32.exe'
      - '\cmstp.exe'
      - '\msiexec.exe'
  condition: selection and not filter
falsepositives:
  - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: high
tags:
  - attack.defense_evasion
  - attack.t1036.003