SigmaHQ/rules/windows/process_creation/win_renamed_binary.yml

title: Renamed Binary
status: experimental
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
author: Matthew Green - @mgreen27 
date: 2019/06/15
references:
    - https://attack.mitre.org/techniques/T1036/
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
tags:
    - attack.t1036
    - attack.defense_evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName:
            - "cmd.exe"
            - "powershell.exe"
            - "powershell_ise.exe"
            - "psexec.exe"
            - "psexec.c"  # old versions of psexec (2016 seen)
            - "cscript.exe"
            - "wscript.exe"
            - "mshta.exe"
            - "regsvr32.exe"
            - "wmic.exe"
            - "certutil.exe"
            - "rundll32.exe"
            - "cmstp.exe"
            - "msiexec.exe"
            - "7z.exe"
            - "winrar.exe"
    filter:
        Image:
            - '*\cmd.exe'
            - '*\powershell.exe'
            - '*\powershell_ise.exe'
            - '*\psexec.exe'
            - '*\psexec64.exe'
            - '*\cscript.exe'
            - '*\wscript.exe'
            - '*\mshta.exe'
            - '*\regsvr32.exe'
            - '*\wmic.exe'
            - '*\certutil.exe'
            - '*\rundll32.exe'
            - '*\cmstp.exe'
            - '*\msiexec.exe'
            - '*\7z.exe'
            - '*\winrar.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium
sigma/Add sysmon_renamed_binary 2019-06-15 10:19:35 +00:00			`title: Renamed Binary`
			`status: experimental`
sigma/Add sysmon_renamed_binary 2019-06-15 10:20:52 +00:00			`description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.`
sigma/Add sysmon_renamed_binary 2019-06-15 10:19:35 +00:00			`author: Matthew Green - @mgreen27`
			`date: 2019/06/15`
			`references:`
			`- https://attack.mitre.org/techniques/T1036/`
			`- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html`
			`- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html`
			`tags:`
Rule fixes * tagging * removed spaces * converted to generic log source * typos/case 2019-06-19 22:01:56 +00:00			`- attack.t1036`
			`- attack.defense_evasion`
sigma/Add sysmon_renamed_binary 2019-06-15 10:19:35 +00:00			`logsource:`
Rule fixes * tagging * removed spaces * converted to generic log source * typos/case 2019-06-19 22:01:56 +00:00			`category: process_creation`
sigma/Add sysmon_renamed_binary 2019-06-15 10:19:35 +00:00			`product: windows`
			`detection:`
			`selection:`
			`OriginalFileName:`
Rule fixes * tagging * removed spaces * converted to generic log source * typos/case 2019-06-19 22:01:56 +00:00			`- "cmd.exe"`
			`- "powershell.exe"`
			`- "powershell_ise.exe"`
			`- "psexec.exe"`
fix: PsExec false positives 2019-09-26 08:50:43 +00:00			`- "psexec.c" # old versions of psexec (2016 seen)`
Rule fixes * tagging * removed spaces * converted to generic log source * typos/case 2019-06-19 22:01:56 +00:00			`- "cscript.exe"`
			`- "wscript.exe"`
			`- "mshta.exe"`
			`- "regsvr32.exe"`
			`- "wmic.exe"`
			`- "certutil.exe"`
			`- "rundll32.exe"`
			`- "cmstp.exe"`
			`- "msiexec.exe"`
			`- "7z.exe"`
			`- "winrar.exe"`
sigma/Add sysmon_renamed_binary 2019-06-15 10:19:35 +00:00			`filter:`
			`Image:`
Rule fixes * tagging * removed spaces * converted to generic log source * typos/case 2019-06-19 22:01:56 +00:00			`- '*\cmd.exe'`
sigma/Add sysmon_renamed_binary 2019-06-15 10:19:35 +00:00			`- '*\powershell.exe'`
			`- '*\powershell_ise.exe'`
Rule fixes * tagging * removed spaces * converted to generic log source * typos/case 2019-06-19 22:01:56 +00:00			`- '*\psexec.exe'`
			`- '*\psexec64.exe'`
sigma/Add sysmon_renamed_binary 2019-06-15 10:19:35 +00:00			`- '*\cscript.exe'`
			`- '*\wscript.exe'`
			`- '*\mshta.exe'`
			`- '*\regsvr32.exe'`
			`- '*\wmic.exe'`
			`- '*\certutil.exe'`
			`- '*\rundll32.exe'`
			`- '*\cmstp.exe'`
			`- '*\msiexec.exe'`
			`- '*\7z.exe'`
Rule fixes * tagging * removed spaces * converted to generic log source * typos/case 2019-06-19 22:01:56 +00:00			`- '*\winrar.exe'`
sigma/Add sysmon_renamed_binary 2019-06-15 10:19:35 +00:00			`condition: selection and not filter`
			`falsepositives:`
			`- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist`
Adjusted level 2019-06-19 22:03:48 +00:00			`level: medium`