LoFP LoFP / psexec installed via windows store doesn't contain original filename field (false negative)

Techniques

Sample rules

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Description

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Detection logic

condition: selection and not filter
filter:
  Image|endswith:
  - \certutil.exe
  - \cmstp.exe
  - \cscript.exe
  - \ie4uinit.exe
  - \mshta.exe
  - \msiexec.exe
  - \msxsl.exe
  - \powershell_ise.exe
  - \powershell.exe
  - \psexec.exe
  - \psexec64.exe
  - \PSEXESVC.exe
  - \pwsh.exe
  - \reg.exe
  - \regsvr32.exe
  - \rundll32.exe
  - \wermgr.exe
  - \wmic.exe
  - \wscript.exe
selection:
- Description: Execute processes remotely
- Product: Sysinternals PsExec
- Description|startswith:
  - Windows PowerShell
  - pwsh
- OriginalFileName:
  - certutil.exe
  - cmstp.exe
  - cscript.exe
  - IE4UINIT.EXE
  - mshta.exe
  - msiexec.exe
  - msxsl.exe
  - powershell_ise.exe
  - powershell.exe
  - psexec.c
  - psexec.exe
  - psexesvc.exe
  - pwsh.dll
  - reg.exe
  - regsvr32.exe
  - rundll32.exe
  - WerMgr
  - wmic.exe
  - wscript.exe