legitimate use of the tool by administrators or users to update metadata of a binary

t1027
t1027.005
t1036
t1036.003
windows
sigma

Techniques

t1027
t1027.005
t1036
t1036.003

Sample rules

PUA - Potential PE Metadata Tamper Using Rcedit

source: sigma
technicques:
- t1027
- t1027.005
- t1036
- t1036.003

Description

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Detection logic

condition: all of selection_*
selection_attributes:
  CommandLine|contains:
  - OriginalFileName
  - CompanyName
  - FileDescription
  - ProductName
  - ProductVersion
  - LegalCopyright
selection_flags:
  CommandLine|contains: --set-
selection_img:
- Image|endswith:
  - \rcedit-x64.exe
  - \rcedit-x86.exe
- Description: Edit resources of exe
- Product: rcedit