detection.wiki

Detection rules › Sigma

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Severity
high
Author
Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
Source
upstream

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1036.003 Masquerading: Rename Legitimate Utilities

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
Description: 'Execute processes remotely'
Description|startswith: 'Windows PowerShell'
Description|startswith: pwsh
OriginalFileName: IE4UINIT.EXE
OriginalFileName: WerMgr
OriginalFileName: certutil.exe
OriginalFileName: cmstp.exe
OriginalFileName: cscript.exe
OriginalFileName: finger.exe
OriginalFileName: mshta.exe
OriginalFileName: msiexec.exe
OriginalFileName: msxsl.exe
OriginalFileName: powershell.exe
OriginalFileName: powershell_ise.exe
OriginalFileName: psexec.c
OriginalFileName: psexec.exe
OriginalFileName: psexesvc.exe
OriginalFileName: pwsh.dll
OriginalFileName: reg.exe
OriginalFileName: regsvr32.exe
OriginalFileName: rundll32.exe
OriginalFileName: wmic.exe
OriginalFileName: wscript.exe
Product: 'Sysinternals PsExec'

Stage 2: not filter

or:
Image|endswith: '\PSEXESVC.exe'
Image|endswith: '\certutil.exe'
Image|endswith: '\cmstp.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\finger.exe'
Image|endswith: '\ie4uinit.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\msiexec.exe'
Image|endswith: '\msxsl.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\psexec.exe'
Image|endswith: '\psexec64.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\reg.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\rundll32.exe'
Image|endswith: '\wermgr.exe'
Image|endswith: '\wmic.exe'
Image|endswith: '\wscript.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Descriptioneq
  • Execute processes remotely
Descriptionstarts_with
  • Windows PowerShell
  • pwsh
Imageends_with
  • \PSEXESVC.exe
  • \certutil.exe corpus 34 (sigma 34)
  • \cmstp.exe corpus 9 (sigma 9)
  • \cscript.exe corpus 64 (sigma 64)
  • \finger.exe corpus 9 (sigma 9)
  • \ie4uinit.exe corpus 2 (sigma 2)
  • \mshta.exe corpus 57 (sigma 57)
  • \msiexec.exe corpus 21 (sigma 21)
  • \msxsl.exe corpus 7 (sigma 7)
  • \powershell.exe corpus 143 (sigma 143)
  • \powershell_ise.exe corpus 27 (sigma 27)
  • \psexec.exe corpus 2 (sigma 2)
  • \psexec64.exe
  • \pwsh.exe corpus 140 (sigma 140)
  • \reg.exe corpus 46 (sigma 46)
  • \regsvr32.exe corpus 57 (sigma 57)
  • \rundll32.exe corpus 76 (sigma 76)
  • \wermgr.exe corpus 3 (sigma 3)
  • \wmic.exe corpus 37 (sigma 37)
  • \wscript.exe corpus 64 (sigma 64)
OriginalFileNameeq
  • IE4UINIT.EXE corpus 2 (sigma 2)
  • WerMgr
  • certutil.exe
  • cmstp.exe
  • cscript.exe corpus 15 (sigma 15)
  • finger.exe corpus 2 (sigma 2)
  • mshta.exe corpus 6 (sigma 6)
  • msiexec.exe corpus 5 (sigma 5)
  • msxsl.exe
  • powershell.exe corpus 8 (sigma 8)
  • powershell_ise.exe corpus 6 (sigma 6)
  • psexec.c corpus 2 (sigma 2)
  • psexec.exe
  • psexesvc.exe corpus 3 (sigma 3)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)
  • reg.exe corpus 29 (sigma 29)
  • regsvr32.exe corpus 4 (sigma 4)
  • rundll32.exe
  • wmic.exe corpus 33 (sigma 33)
  • wscript.exe corpus 15 (sigma 15)
Producteq
  • Sysinternals PsExec