EXPLORE
Sign In
← Back to Explore
T1036.003

Rename Legitimate Utilities

Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main Site)(Citation: Huntress Python Malware 2025)(Citation: The DFIR Report AutoHotKey 2023)(Citation: Splunk Detect Renamed PSExec) It may be po...

LinuxmacOSWindows
47
Detections
3
Sources
6
Threat Actors

BY SOURCE

26sigma11elastic10splunk_escu

PROCEDURES (27)

Process Creation Monitoring8 detections

Auto-extracted: 8 detections for process creation monitoring

Download5 detections

Auto-extracted: 5 detections for download

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

Service2 detections

Auto-extracted: 2 detections for service

Remote2 detections

Auto-extracted: 2 detections for remote

Privilege2 detections

Auto-extracted: 2 detections for privilege

Unusual2 detections

Auto-extracted: 2 detections for unusual

Bypass2 detections

Auto-extracted: 2 detections for bypass

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Registry2 detections

Auto-extracted: 2 detections for registry

Powershell1 detections

Auto-extracted: 1 detections for powershell

Dump1 detections

Auto-extracted: 1 detections for dump

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Lateral1 detections

Auto-extracted: 1 detections for lateral

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Powershell1 detections

Auto-extracted: 1 detections for powershell

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Evasion1 detections

Auto-extracted: 1 detections for evasion

Dump1 detections

Auto-extracted: 1 detections for dump

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Evasion1 detections

Auto-extracted: 1 detections for evasion

THREAT ACTORS (6)

APT32APT38DaggerflyGALLIUMLazarus GroupmenuPass

DETECTIONS (47)

Execution of File with Multiple Extensions
splunk_escu
File Download Via Bitsadmin
sigmamedium
File Download Via Bitsadmin To A Suspicious Target Folder
sigmahigh
File With Suspicious Extension Downloaded Via Bitsadmin
sigmahigh
LOL-Binary Copied From System Directory
sigmahigh
Masquerading as Linux Crond Process
sigmamedium
Microsoft Build Engine Using an Alternate Name
elasticlow
Potential Credential Access via Renamed COM+ Services DLL
elastichigh
Potential Data Exfiltration via Rclone
elasticmedium
Potential Defense Evasion Via Binary Rename
sigmamedium
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
sigmahigh
Potential Homoglyph Attack Using Lookalike Characters
sigmamedium
Potential Homoglyph Attack Using Lookalike Characters in Filename
sigmamedium
Potential Kubectl Masquerading via Unexpected Process
elasticmedium
Potential PendingFileRenameOperations Tampering
sigmamedium
Potential WerFault ReflectDebugger Registry Value Abuse
sigmahigh
PUA - Potential PE Metadata Tamper Using Rcedit
sigmamedium
Remote Access Tool - Renamed MeshAgent Execution - MacOS
sigmahigh
Remote Access Tool - Renamed MeshAgent Execution - Windows
sigmahigh
Renamed Automation Script Interpreter
elastichigh
Renamed BrowserCore.EXE Execution
sigmahigh
Renamed Jusched.EXE Execution
sigmahigh
Renamed Msdt.EXE Execution
sigmahigh
Renamed Office Binary Execution
sigmahigh
Renamed Powershell Under Powershell Channel
sigmalow
Renamed ProcDump Execution
sigmahigh
Renamed Schtasks Execution
sigmahigh
Renamed Utility Executed with Short Program Name
elasticmedium
Suspicious Copy From or To System Directory
sigmamedium
Suspicious Copy on System32
splunk_escu
Suspicious Download From Direct IP Via Bitsadmin
sigmahigh
Suspicious Download From File-Sharing Website Via Bitsadmin
sigmahigh
Suspicious Microsoft Antimalware Service Execution
elastichigh
Suspicious Microsoft Diagnostics Wizard Execution
elastichigh
Suspicious microsoft workflow compiler rename
splunk_escu
Suspicious msbuild path
splunk_escu
Suspicious MSBuild Rename
splunk_escu
Suspicious Process Execution via Renamed PsExec Executable
elasticmedium
Suspicious Renaming of ESXI Files
elasticmedium
Suspicious Start-Process PassThru
sigmamedium
System Binary Moved or Copied
elasticmedium
System Processes Run From Unexpected Locations
splunk_escu
Windows DotNet Binary in Non Standard Path
splunk_escu
Windows InstallUtil in Non Standard Path
splunk_escu
Windows LOLBAS Executed As Renamed File
splunk_escu
Windows Processes Suspicious Parent Directory
sigmalow
Windows Renamed Powershell Execution
splunk_escu