alexpetrov12
59 lines
2.0 KiB
YAML
59 lines
2.0 KiB
YAML
title: Renamed Binary
|
|
status: experimental
|
|
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon Description datapoint.
|
|
author: Aleksey Potapov, oscd.community
|
|
date: 2019/10/22
|
|
references:
|
|
- https://attack.mitre.org/techniques/T1036/
|
|
tags:
|
|
- attack.t1036
|
|
- attack.defense_evasion
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
Description:
|
|
- "active directory editor"
|
|
- "sysinternals process dump utility"
|
|
- "msbuild.exe"
|
|
- ".net core host"
|
|
- "windows command processor"
|
|
- "windows powershell"
|
|
- "execute processes remotely"
|
|
- ".net framework installation utility"
|
|
- "microsoft ® console based script host"
|
|
- "microsoft ® windows based script host"
|
|
- "microsoft (r) html application host"
|
|
- "microsoft(c) register server"
|
|
- "wmi commandline utility"
|
|
- "certutil.exe"
|
|
- "windows host process (rundll32)"
|
|
- "microsoft connection manager profile Installer"
|
|
- "windows ® installer"
|
|
- "7-zip console"
|
|
filter:
|
|
Image:
|
|
-'*\adexplorer.exe'
|
|
-'*\procdump.exe'
|
|
-'*\msbuild.exe'
|
|
-'*\dotnet.exe'
|
|
-'*\cmd.exe'
|
|
-'*\powershell.exe'
|
|
-'*\psexec.exe'
|
|
-'*\installutil.exe'
|
|
-'*\cscript.exe'
|
|
-'*\wscript.exe'
|
|
-'*\mshta.exe'
|
|
-'*\regsvr32.exe'
|
|
-'*\wmic.exe'
|
|
-'*\certutil.exe'
|
|
-'*\rundll32.exe'
|
|
-'*\cmstp.exe'
|
|
-'*\msiexec.exe'
|
|
-'*\7z.exe'
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
|
|
level: medium |