Techniques
Sample rules
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Detection logic
condition: selection and not filter
filter:
Image|endswith:
- \certutil.exe
- \cmstp.exe
- \cscript.exe
- \mshta.exe
- \msiexec.exe
- \powershell_ise.exe
- \powershell.exe
- \psexec.exe
- \psexec64.exe
- \PSEXESVC.exe
- \pwsh.exe
- \reg.exe
- \regsvr32.exe
- \rundll32.exe
- \wermgr.exe
- \wmic.exe
- \wscript.exe
selection:
- Description: Execute processes remotely
- Product: Sysinternals PsExec
- Description|startswith:
- Windows PowerShell
- pwsh
- OriginalFileName:
- certutil.exe
- cmstp.exe
- cscript.exe
- mshta.exe
- msiexec.exe
- powershell_ise.exe
- powershell.exe
- psexec.c
- psexec.exe
- psexesvc.exe
- pwsh.dll
- reg.exe
- regsvr32.exe
- rundll32.exe
- WerMgr
- wmic.exe
- wscript.exe