EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

MITRE ATT&CK

T1036.003
defense-evasion

Detection Query

selection:
  - Description: Execute processes remotely
  - Product: Sysinternals PsExec
  - Description|startswith:
      - Windows PowerShell
      - pwsh
  - OriginalFileName:
      - certutil.exe
      - cmstp.exe
      - cscript.exe
      - IE4UINIT.EXE
      - finger.exe
      - mshta.exe
      - msiexec.exe
      - msxsl.exe
      - powershell_ise.exe
      - powershell.exe
      - psexec.c
      - psexec.exe
      - psexesvc.exe
      - pwsh.dll
      - reg.exe
      - regsvr32.exe
      - rundll32.exe
      - WerMgr
      - wmic.exe
      - wscript.exe
filter:
  Image|endswith:
    - \certutil.exe
    - \cmstp.exe
    - \cscript.exe
    - \ie4uinit.exe
    - \finger.exe
    - \mshta.exe
    - \msiexec.exe
    - \msxsl.exe
    - \powershell_ise.exe
    - \powershell.exe
    - \psexec.exe
    - \psexec64.exe
    - \PSEXESVC.exe
    - \pwsh.exe
    - \reg.exe
    - \regsvr32.exe
    - \rundll32.exe
    - \wermgr.exe
    - \wmic.exe
    - \wscript.exe
condition: selection and not filter

Author

Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113

Created

2019-06-15

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1036.003car.2013-05-009
Raw Content
title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
related:
    - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
      type: similar
    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
      type: derived
    - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
      type: obsolete
    - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
      type: obsolete
    - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
      type: obsolete
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
    - https://twitter.com/christophetd/status/1164506034720952320
    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
    - https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
date: 2019-06-15
modified: 2026-02-12
tags:
    - attack.defense-evasion
    - attack.t1036.003
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'Execute processes remotely'
        - Product: 'Sysinternals PsExec'
        - Description|startswith:
              - 'Windows PowerShell'
              - 'pwsh'
        - OriginalFileName:
              - 'certutil.exe'
              - 'cmstp.exe'
              - 'cscript.exe'
              - 'IE4UINIT.EXE'
              - 'finger.exe'
              - 'mshta.exe'
              - 'msiexec.exe'
              - 'msxsl.exe'
              - 'powershell_ise.exe'
              - 'powershell.exe'
              - 'psexec.c'        # old versions of psexec (2016 seen)
              - 'psexec.exe'
              - 'psexesvc.exe'
              - 'pwsh.dll'
              - 'reg.exe'
              - 'regsvr32.exe'
              - 'rundll32.exe'
              - 'WerMgr'
              - 'wmic.exe'
              - 'wscript.exe'
    filter:
        Image|endswith:
            - '\certutil.exe'
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\ie4uinit.exe'
            - '\finger.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\msxsl.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\PSEXESVC.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wermgr.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml