SigmaHQ/wazuh/rules/sigma_win_renamed_binary.yml

alert:
- debug
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
filter:
- query:
    query_string:
      query: (data.win.eventdata.originalFileName:("cmd.exe" OR "powershell.exe" OR "powershell_ise.exe" OR "psexec.exe" OR "psexec.c" OR "cscript.exe" OR "wscript.exe" OR "mshta.exe" OR "regsvr32.exe" OR "wmic.exe" OR "certutil.exe" OR "rundll32.exe" OR "cmstp.exe" OR "msiexec.exe" OR "7z.exe" OR "winrar.exe" OR "wevtutil.exe" OR "net.exe" OR "net1.exe" OR "netsh.exe") AND (NOT (data.win.eventdata.image.keyword:(*\\cmd.exe OR *\\powershell.exe OR *\\powershell_ise.exe OR *\\psexec.exe OR *\\psexec64.exe OR *\\cscript.exe OR *\\wscript.exe OR *\\mshta.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\certutil.exe OR *\\rundll32.exe OR *\\cmstp.exe OR *\\msiexec.exe OR *\\7z.exe OR *\\winrar.exe OR *\\wevtutil.exe OR *\\net.exe OR *\\net1.exe OR *\\netsh.exe))))
index: wazuh-alerts-3.x-*
name: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142_0
priority: 3
realert:
  minutes: 0
type: any