75 lines
1.8 KiB
YAML
75 lines
1.8 KiB
YAML
|
|
title: Renamed Binary
|
|
author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community
|
|
(improvements), Andreas Hunkeler (@Karneades)
|
|
date: 2019/06/15
|
|
description: Detects the execution of a renamed binary often used by attackers or
|
|
malware leveraging new Sysmon OriginalFileName datapoint.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
OriginalFileName:
|
|
- cmd.exe
|
|
- powershell.exe
|
|
- powershell_ise.exe
|
|
- psexec.exe
|
|
- psexec.c
|
|
- cscript.exe
|
|
- wscript.exe
|
|
- mshta.exe
|
|
- regsvr32.exe
|
|
- wmic.exe
|
|
- certutil.exe
|
|
- rundll32.exe
|
|
- cmstp.exe
|
|
- msiexec.exe
|
|
- 7z.exe
|
|
- winrar.exe
|
|
- wevtutil.exe
|
|
- net.exe
|
|
- net1.exe
|
|
- netsh.exe
|
|
SELECTION_3:
|
|
Image:
|
|
- '*\cmd.exe'
|
|
- '*\powershell.exe'
|
|
- '*\powershell_ise.exe'
|
|
- '*\psexec.exe'
|
|
- '*\psexec64.exe'
|
|
- '*\cscript.exe'
|
|
- '*\wscript.exe'
|
|
- '*\mshta.exe'
|
|
- '*\regsvr32.exe'
|
|
- '*\wmic.exe'
|
|
- '*\certutil.exe'
|
|
- '*\rundll32.exe'
|
|
- '*\cmstp.exe'
|
|
- '*\msiexec.exe'
|
|
- '*\7z.exe'
|
|
- '*\winrar.exe'
|
|
- '*\wevtutil.exe'
|
|
- '*\net.exe'
|
|
- '*\net1.exe'
|
|
- '*\netsh.exe'
|
|
condition: (SELECTION_1 and SELECTION_2 and not (SELECTION_3))
|
|
falsepositives:
|
|
- Custom applications use renamed binaries adding slight change to binary name. Typically
|
|
this is easy to spot and add to whitelist
|
|
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
|
|
level: medium
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2020/09/06
|
|
references:
|
|
- https://attack.mitre.org/techniques/T1036/
|
|
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
|
|
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1036
|
|
- attack.t1036.003
|
|
ruletype: SIGMA
|