security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
2cb7375c6b1d8035bf773ef29d065793b645eb37
blue-team-tools/rules/windows/process_creation/proc_creation_win_renamed_binary.yml
T
Nasreddine Bencherchali 2cb7375c6b Merge PR #5719 from @nasbench - Add regression test CI, data and simulation links 
update: Cred Dump Tools Dropped Files - Add procdump.exe and procdump64a.exe
update: File Download From Browser Process Via Inline URL - Enhance selection by splitting CLI markers for better matching
update: Tor Client/Browser Execution - Add additional PE metadata markers
update: System Information Discovery via Registry Queries - Enhance registry markers
update: PUA - AdFind Suspicious Execution - Add -sc to dclist string for more accurate coverage.
fix: Removal Of Index Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Removal Of SD Value to Hide Schedule Task - Registry - Remove EventType condition that broke the rule.
fix: Creation of a Local Hidden User Account by Registry - Fix the TargetObject value
fix: Potential Persistence Via New AMSI Providers - Registry - Change logsource and fix the rule logic
fix: Potential COM Object Hijacking Via TreatAs Subkey - Registry - Change logsource and fix the rule logic
fix: Potential Persistence Via Logon Scripts - Registry - Fix incorrect logsource
fix: PUA - Sysinternal Tool Execution - Registry - Fix incorrect logsource
fix: Suspicious Execution Of Renamed Sysinternals Tools - Registry - Fix incorrect logsource
fix: PUA - Sysinternals Tools Execution - Registry - Fix incorrect logsource
chore: add CI script for regression
chore: add regression data

---------

Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2025-11-25 16:00:53 +01:00

52 lines
1.9 KiB
YAML
Raw Blame History

title: Potential Defense Evasion Via Binary Rename
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
related:
- id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
type: similar
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-06-15
modified: 2025-07-15
tags:
- attack.defense-evasion
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'Cmd.Exe'
- 'CONHOST.EXE'
- '7z.exe'
- '7za.exe'
- 'WinRAR.exe'
- 'wevtutil.exe'
- 'net.exe'
- 'net1.exe'
- 'netsh.exe'
- 'InstallUtil.exe'
filter:
Image|endswith:
- '\cmd.exe'
- '\conhost.exe'
- '\7z.exe'
- '\7za.exe'
- '\WinRAR.exe'
- '\wevtutil.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
- '\InstallUtil.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium
regression_tests_path: regression_data/windows/process_creation/proc_creation_win_renamed_binary/info.yml
Reference in New Issue View Git Blame Copy Permalink