mgreen27
57 lines
1.7 KiB
YAML
57 lines
1.7 KiB
YAML
title: Renamed Binary
|
|
status: experimental
|
|
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
|
|
author: Matthew Green - @mgreen27
|
|
date: 2019/06/15
|
|
references:
|
|
- https://attack.mitre.org/techniques/T1036/
|
|
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
|
|
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
|
|
tags:
|
|
- ATT&CK.T1036
|
|
- ATT&CK.Masquerading
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 1
|
|
OriginalFileName:
|
|
- Cmd.Exe
|
|
- PowerShell.EXE
|
|
- powershell_ise.EXE
|
|
- psexec.c
|
|
- cscript.exe
|
|
- wscript.exe
|
|
- MSHTA.EXE
|
|
- REGSVR32.EXE
|
|
- wmic.exe
|
|
- CertUtil.exe
|
|
- RUNDLL32.EXE
|
|
- CMSTP.EXE
|
|
- msiexec.exe
|
|
- 7z.exe
|
|
- WinRAR.exe
|
|
filter:
|
|
Image:
|
|
- '*\cmd.exe'
|
|
- '*\powershell.exe'
|
|
- '*\powershell_ise.exe'
|
|
- '*\PsExec.exe'
|
|
- '*\PsExec64.exe'
|
|
- '*\cscript.exe'
|
|
- '*\wscript.exe'
|
|
- '*\mshta.exe'
|
|
- '*\regsvr32.exe'
|
|
- '*\wmic.exe'
|
|
- '*\certutil.exe'
|
|
- '*\rundll32.exe'
|
|
- '*\cmstp.exe'
|
|
- '*\msiexec.exe'
|
|
- '*\7z.exe'
|
|
- '*\WinRAR.exe'
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
|
|
level: high
|