title: Renamed Binary
author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community
  (improvements), Andreas Hunkeler (@Karneades)
date: 2019/06/15
description: Detects the execution of a renamed binary often used by attackers or
  malware leveraging new Sysmon OriginalFileName datapoint.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    OriginalFileName:
    - cmd.exe
    - powershell.exe
    - powershell_ise.exe
    - psexec.exe
    - psexec.c
    - cscript.exe
    - wscript.exe
    - mshta.exe
    - regsvr32.exe
    - wmic.exe
    - certutil.exe
    - rundll32.exe
    - cmstp.exe
    - msiexec.exe
    - 7z.exe
    - winrar.exe
    - wevtutil.exe
    - net.exe
    - net1.exe
    - netsh.exe
  SELECTION_3:
    Image:
    - '*\cmd.exe'
    - '*\powershell.exe'
    - '*\powershell_ise.exe'
    - '*\psexec.exe'
    - '*\psexec64.exe'
    - '*\cscript.exe'
    - '*\wscript.exe'
    - '*\mshta.exe'
    - '*\regsvr32.exe'
    - '*\wmic.exe'
    - '*\certutil.exe'
    - '*\rundll32.exe'
    - '*\cmstp.exe'
    - '*\msiexec.exe'
    - '*\7z.exe'
    - '*\winrar.exe'
    - '*\wevtutil.exe'
    - '*\net.exe'
    - '*\net1.exe'
    - '*\netsh.exe'
  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically
  this is easy to spot and add to whitelist
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2020/09/06
references:
- https://attack.mitre.org/techniques/T1036/
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1036
- attack.t1036.003