Potential Binary Impersonating Sysinternals Tools

Severity: medium
Author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1036.005` Masquerading: Match Legitimate Resource Name or Location, `T1202` Indirect Command Execution, `T1218` System Binary Proxy Execution

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_exe`

or:
Image|endswith: '\ADExplorer.exe'
Image|endswith: '\ADExplorer64.exe'
Image|endswith: '\ADInsight.exe'
Image|endswith: '\ADInsight64.exe'
Image|endswith: '\AccessEnum.exe'
Image|endswith: '\Autologon.exe'
Image|endswith: '\Autologon64.exe'
Image|endswith: '\Autoruns.exe'
Image|endswith: '\Autoruns64.exe'
Image|endswith: '\Bginfo.exe'
Image|endswith: '\Bginfo64.exe'
Image|endswith: '\CPUSTRES.EXE'
Image|endswith: '\CPUSTRES64.EXE'
Image|endswith: '\Cacheset.exe'
Image|endswith: '\Cacheset64.exe'
Image|endswith: '\Clockres.exe'
Image|endswith: '\Clockres64.exe'
Image|endswith: '\Contig.exe'
Image|endswith: '\Contig64.exe'
Image|endswith: '\Coreinfo.exe'
Image|endswith: '\Coreinfo64.exe'
Image|endswith: '\Dbgview.exe'
Image|endswith: '\Desktops.exe'
Image|endswith: '\Desktops64.exe'
Image|endswith: '\DiskView.exe'
Image|endswith: '\DiskView64.exe'
Image|endswith: '\Diskmon.exe'
Image|endswith: '\Diskmon64.exe'
Image|endswith: '\FindLinks.exe'
Image|endswith: '\FindLinks64.exe'
Image|endswith: '\Procmon.exe'
Image|endswith: '\Procmon64.exe'
Image|endswith: '\RAMMap.exe'
Image|endswith: '\RAMMap64.exe'
Image|endswith: '\RDCMan.exe'
Image|endswith: '\RegDelNull.exe'
Image|endswith: '\RegDelNull64.exe'
Image|endswith: '\ShareEnum.exe'
Image|endswith: '\ShareEnum64.exe'
Image|endswith: '\Sysmon.exe'
Image|endswith: '\Sysmon64.exe'
Image|endswith: '\Testlimit.exe'
Image|endswith: '\Testlimit64.exe'
Image|endswith: '\Volumeid.exe'
Image|endswith: '\Volumeid64.exe'
Image|endswith: '\Winobj.exe'
Image|endswith: '\Winobj64.exe'
Image|endswith: '\ZoomIt.exe'
Image|endswith: '\ZoomIt64.exe'
Image|endswith: '\accesschk.exe'
Image|endswith: '\accesschk64.exe'
Image|endswith: '\adrestore.exe'
Image|endswith: '\adrestore64.exe'
Image|endswith: '\autorunsc.exe'
Image|endswith: '\autorunsc64.exe'
Image|endswith: '\ctrl2cap.exe'
Image|endswith: '\dbgview64.exe'
Image|endswith: '\disk2vhd.exe'
Image|endswith: '\disk2vhd64.exe'
Image|endswith: '\diskext.exe'
Image|endswith: '\diskext64.exe'
Image|endswith: '\du.exe'
Image|endswith: '\du64.exe'
Image|endswith: '\efsdump.exe'
Image|endswith: '\handle.exe'
Image|endswith: '\handle64.exe'
Image|endswith: '\hex2dec.exe'
Image|endswith: '\hex2dec64.exe'
Image|endswith: '\junction.exe'
Image|endswith: '\junction64.exe'
Image|endswith: '\ldmdump.exe'
Image|endswith: '\listdlls.exe'
Image|endswith: '\listdlls64.exe'
Image|endswith: '\livekd.exe'
Image|endswith: '\livekd64.exe'
Image|endswith: '\loadOrd.exe'
Image|endswith: '\loadOrd64.exe'
Image|endswith: '\loadOrdC.exe'
Image|endswith: '\loadOrdC64.exe'
Image|endswith: '\logonsessions.exe'
Image|endswith: '\logonsessions64.exe'
Image|endswith: '\movefile.exe'
Image|endswith: '\movefile64.exe'
Image|endswith: '\notmyfault.exe'
Image|endswith: '\notmyfault64.exe'
Image|endswith: '\notmyfaultc.exe'
Image|endswith: '\notmyfaultc64.exe'
Image|endswith: '\ntfsinfo.exe'
Image|endswith: '\ntfsinfo64.exe'
Image|endswith: '\pendmoves.exe'
Image|endswith: '\pendmoves64.exe'
Image|endswith: '\pipelist.exe'
Image|endswith: '\pipelist64.exe'
Image|endswith: '\portmon.exe'
Image|endswith: '\procdump.exe'
Image|endswith: '\procdump64.exe'
Image|endswith: '\procexp.exe'
Image|endswith: '\procexp64.exe'
Image|endswith: '\psExec.exe'
Image|endswith: '\psExec64.exe'
Image|endswith: '\psGetsid.exe'
Image|endswith: '\psGetsid64.exe'
Image|endswith: '\psInfo.exe'
Image|endswith: '\psInfo64.exe'
Image|endswith: '\psLoggedon.exe'
Image|endswith: '\psLoggedon64.exe'
Image|endswith: '\psService.exe'
Image|endswith: '\psService64.exe'
Image|endswith: '\psfile.exe'
Image|endswith: '\psfile64.exe'
Image|endswith: '\pskill.exe'
Image|endswith: '\pskill64.exe'
Image|endswith: '\pslist.exe'
Image|endswith: '\pslist64.exe'
Image|endswith: '\psloglist.exe'
Image|endswith: '\psloglist64.exe'
Image|endswith: '\pspasswd.exe'
Image|endswith: '\pspasswd64.exe'
Image|endswith: '\psping.exe'
Image|endswith: '\psping64.exe'
Image|endswith: '\psshutdown.exe'
Image|endswith: '\psshutdown64.exe'
Image|endswith: '\pssuspend.exe'
Image|endswith: '\pssuspend64.exe'
Image|endswith: '\regjump.exe'
Image|endswith: '\ru.exe'
Image|endswith: '\ru64.exe'
Image|endswith: '\sdelete.exe'
Image|endswith: '\sdelete64.exe'
Image|endswith: '\shellRunas.exe'
Image|endswith: '\sigcheck.exe'
Image|endswith: '\sigcheck64.exe'
Image|endswith: '\streams.exe'
Image|endswith: '\streams64.exe'
Image|endswith: '\strings.exe'
Image|endswith: '\strings64.exe'
Image|endswith: '\sync.exe'
Image|endswith: '\sync64.exe'
Image|endswith: '\tcpvcon.exe'
Image|endswith: '\tcpvcon64.exe'
Image|endswith: '\tcpview.exe'
Image|endswith: '\tcpview64.exe'
Image|endswith: '\vmmap.exe'
Image|endswith: '\vmmap64.exe'
Image|endswith: '\whois.exe'
Image|endswith: '\whois64.exe'

Stage 2: `1 of selection_arm64`

or:
Image|endswith: '\ADExplorer64a.exe'
Image|endswith: '\ADInsight64a.exe'
Image|endswith: '\Autologon64a.exe'
Image|endswith: '\Autoruns64a.exe'
Image|endswith: '\Clockres64a.exe'
Image|endswith: '\Contig64a.exe'
Image|endswith: '\Coreinfo64a.exe'
Image|endswith: '\Dbgview64a.exe'
Image|endswith: '\DiskView64a.exe'
Image|endswith: '\FindLinks64a.exe'
Image|endswith: '\LoadOrd64a.exe'
Image|endswith: '\LoadOrdC64a.exe'
Image|endswith: '\Procmon64a.exe'
Image|endswith: '\PsExec64a.exe'
Image|endswith: '\PsGetsid64a.exe'
Image|endswith: '\PsInfo64a.exe'
Image|endswith: '\PsService64a.exe'
Image|endswith: '\RAMMap64a.exe'
Image|endswith: '\RegDelNull64a.exe'
Image|endswith: '\Sysmon64a.exe'
Image|endswith: '\Winobj64a.exe'
Image|endswith: '\ZoomIt64a.exe'
Image|endswith: '\accesschk64a.exe'
Image|endswith: '\adrestore64a.exe'
Image|endswith: '\autorunsc64a.exe'
Image|endswith: '\disk2vhd64a.exe'
Image|endswith: '\diskext64a.exe'
Image|endswith: '\du64a.exe'
Image|endswith: '\handle64a.exe'
Image|endswith: '\hex2dec64a.exe'
Image|endswith: '\junction64a.exe'
Image|endswith: '\logonsessions64a.exe'
Image|endswith: '\movefile64a.exe'
Image|endswith: '\notmyfault64a.exe'
Image|endswith: '\notmyfaultc64a.exe'
Image|endswith: '\pendmoves64a.exe'
Image|endswith: '\pipelist64a.exe'
Image|endswith: '\procdump64a.exe'
Image|endswith: '\procexp64a.exe'
Image|endswith: '\psfile64a.exe'
Image|endswith: '\pskill64a.exe'
Image|endswith: '\psloglist64a.exe'
Image|endswith: '\pspasswd64a.exe'
Image|endswith: '\psping64a.exe'
Image|endswith: '\pssuspend64a.exe'
Image|endswith: '\ru64a.exe'
Image|endswith: '\sdelete64a.exe'
Image|endswith: '\sigcheck64a.exe'
Image|endswith: '\streams64a.exe'
Image|endswith: '\strings64a.exe'
Image|endswith: '\sync64a.exe'
Image|endswith: '\tcpvcon64a.exe'
Image|endswith: '\tcpview64a.exe'
Image|endswith: '\vmmap64a.exe'
Image|endswith: '\whois64a.exe'

Stage 3: `not 1 of filter_*`

or:
Company: 'Sysinternals - www.sysinternals.com'
Company: Sysinternals
Company: null
Product: null
Product|startswith: Sysinternals

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Company`	eq	`Sysinternals` `Sysinternals - www.sysinternals.com`
`Image`	ends_with	`\ADExplorer.exe` corpus 6 (sigma 6) `\ADExplorer64.exe` corpus 6 (sigma 6) `\ADExplorer64a.exe` corpus 4 (sigma 4) `\ADInsight.exe` `\ADInsight64.exe` `\ADInsight64a.exe` `\AccessEnum.exe` `\Autologon.exe` `\Autologon64.exe` `\Autologon64a.exe` `\Autoruns.exe` `\Autoruns64.exe` `\Autoruns64a.exe` `\Bginfo.exe` `\Bginfo64.exe` `\CPUSTRES.EXE` `\CPUSTRES64.EXE` `\Cacheset.exe` `\Cacheset64.exe` `\Clockres.exe` `\Clockres64.exe` `\Clockres64a.exe` `\Contig.exe` `\Contig64.exe` `\Contig64a.exe` `\Coreinfo.exe` `\Coreinfo64.exe` `\Coreinfo64a.exe` `\Dbgview.exe` corpus 2 (sigma 2) `\Dbgview64a.exe` `\Desktops.exe` `\Desktops64.exe` `\DiskView.exe` `\DiskView64.exe` `\DiskView64a.exe` `\Diskmon.exe` `\Diskmon64.exe` `\FindLinks.exe` `\FindLinks64.exe` `\FindLinks64a.exe` `\LoadOrd64a.exe` `\LoadOrdC64a.exe` `\Procmon.exe` `\Procmon64.exe` `\Procmon64a.exe` `\PsExec64a.exe` `\PsGetsid64a.exe` `\PsInfo64a.exe` `\PsService64a.exe` `\RAMMap.exe` `\RAMMap64.exe` `\RAMMap64a.exe` `\RDCMan.exe` corpus 2 (sigma 2) `\RegDelNull.exe` `\RegDelNull64.exe` `\RegDelNull64a.exe` `\ShareEnum.exe` `\ShareEnum64.exe` `\Sysmon.exe` corpus 3 (sigma 3) `\Sysmon64.exe` corpus 3 (sigma 3) `\Sysmon64a.exe` `\Testlimit.exe` `\Testlimit64.exe` `\Volumeid.exe` `\Volumeid64.exe` `\Winobj.exe` `\Winobj64.exe` `\Winobj64a.exe` `\ZoomIt.exe` `\ZoomIt64.exe` `\ZoomIt64a.exe` `\accesschk.exe` corpus 3 (sigma 3) `\accesschk64.exe` corpus 2 (sigma 2) `\accesschk64a.exe` `\adrestore.exe` `\adrestore64.exe` `\adrestore64a.exe` `\autorunsc.exe` `\autorunsc64.exe` `\autorunsc64a.exe` `\ctrl2cap.exe` `\dbgview64.exe` `\disk2vhd.exe` `\disk2vhd64.exe` `\disk2vhd64a.exe` `\diskext.exe` `\diskext64.exe` `\diskext64a.exe` `\du.exe` `\du64.exe` `\du64a.exe` `\efsdump.exe` `\handle.exe` corpus 5 (sigma 5) `\handle64.exe` corpus 5 (sigma 5) `\handle64a.exe` `\hex2dec.exe` `\hex2dec64.exe` `\hex2dec64a.exe` `\junction.exe` `\junction64.exe` `\junction64a.exe` `\ldmdump.exe` `\listdlls.exe` `\listdlls64.exe` `\livekd.exe` corpus 7 (sigma 7) `\livekd64.exe` corpus 5 (sigma 5) `\loadOrd.exe` `\loadOrd64.exe` `\loadOrdC.exe` `\loadOrdC64.exe` `\logonsessions.exe` `\logonsessions64.exe` `\logonsessions64a.exe` `\movefile.exe` `\movefile64.exe` `\movefile64a.exe` `\notmyfault.exe` `\notmyfault64.exe` `\notmyfault64a.exe` `\notmyfaultc.exe` `\notmyfaultc64.exe` `\notmyfaultc64a.exe` `\ntfsinfo.exe` `\ntfsinfo64.exe` `\pendmoves.exe` `\pendmoves64.exe` `\pendmoves64a.exe` `\pipelist.exe` `\pipelist64.exe` `\pipelist64a.exe` `\portmon.exe` `\procdump.exe` corpus 6 (sigma 6) `\procdump64.exe` corpus 5 (sigma 5) `\procdump64a.exe` `\procexp.exe` corpus 6 (sigma 6) `\procexp64.exe` corpus 6 (sigma 6) `\procexp64a.exe` `\psExec.exe` `\psExec64.exe` `\psGetsid.exe` `\psGetsid64.exe` `\psInfo.exe` `\psInfo64.exe` `\psLoggedon.exe` `\psLoggedon64.exe` `\psService.exe` `\psService64.exe` `\psfile.exe` `\psfile64.exe` `\psfile64a.exe` `\pskill.exe` `\pskill64.exe` `\pskill64a.exe` `\pslist.exe` `\pslist64.exe` `\psloglist.exe` corpus 4 (sigma 4) `\psloglist64.exe` corpus 4 (sigma 4) `\psloglist64a.exe` `\pspasswd.exe` corpus 3 (sigma 3) `\pspasswd64.exe` corpus 3 (sigma 3) `\pspasswd64a.exe` `\psping.exe` `\psping64.exe` `\psping64a.exe` `\psshutdown.exe` `\psshutdown64.exe` `\pssuspend.exe` corpus 3 (sigma 3) `\pssuspend64.exe` corpus 3 (sigma 3) `\pssuspend64a.exe` `\regjump.exe` `\ru.exe` `\ru64.exe` `\ru64a.exe` `\sdelete.exe` corpus 3 (sigma 3) `\sdelete64.exe` corpus 2 (sigma 2) `\sdelete64a.exe` `\shellRunas.exe` `\sigcheck.exe` `\sigcheck64.exe` `\sigcheck64a.exe` `\streams.exe` `\streams64.exe` `\streams64a.exe` `\strings.exe` `\strings64.exe` `\strings64a.exe` `\sync.exe` `\sync64.exe` `\sync64a.exe` `\tcpvcon.exe` `\tcpvcon64.exe` `\tcpvcon64a.exe` `\tcpview.exe` `\tcpview64.exe` `\tcpview64a.exe` `\vmmap.exe` corpus 3 (sigma 3) `\vmmap64.exe` corpus 3 (sigma 3) `\vmmap64a.exe` `\whois.exe` `\whois64.exe` `\whois64a.exe`
`Product`	starts_with	`Sysinternals`