EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potential Defense Evasion Via Binary Rename

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

MITRE ATT&CK

T1036.003
defense-evasion

Detection Query

selection:
  OriginalFileName:
    - Cmd.Exe
    - CONHOST.EXE
    - 7z.exe
    - 7za.exe
    - WinRAR.exe
    - wevtutil.exe
    - net.exe
    - net1.exe
    - netsh.exe
    - InstallUtil.exe
filter:
  Image|endswith:
    - \cmd.exe
    - \conhost.exe
    - \7z.exe
    - \7za.exe
    - \WinRAR.exe
    - \wevtutil.exe
    - \net.exe
    - \net1.exe
    - \netsh.exe
    - \InstallUtil.exe
condition: selection and not filter

Author

Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)

Created

2019-06-15

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1036.003
Raw Content
title: Potential Defense Evasion Via Binary Rename
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
related:
    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
      type: similar
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-06-15
modified: 2025-07-15
tags:
    - attack.defense-evasion
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName:
            - 'Cmd.Exe'
            - 'CONHOST.EXE'
            - '7z.exe'
            - '7za.exe'
            - 'WinRAR.exe'
            - 'wevtutil.exe'
            - 'net.exe'
            - 'net1.exe'
            - 'netsh.exe'
            - 'InstallUtil.exe'
    filter:
        Image|endswith:
            - '\cmd.exe'
            - '\conhost.exe'
            - '\7z.exe'
            - '\7za.exe'
            - '\WinRAR.exe'
            - '\wevtutil.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netsh.exe'
            - '\InstallUtil.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/info.yml