CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/win_renamed_binary.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

120 lines
3.8 KiB
YAML
Raw Blame History

title: Renamed Binary
author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community
(improvements), Andreas Hunkeler (@Karneades)
date: 2019/06/15
description: Detects the execution of a renamed binary often used by attackers or
malware leveraging new Sysmon OriginalFileName datapoint.
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
OriginalFileName: regsvr32.exe
SELECTION_11:
OriginalFileName: wmic.exe
SELECTION_12:
OriginalFileName: certutil.exe
SELECTION_13:
OriginalFileName: rundll32.exe
SELECTION_14:
OriginalFileName: cmstp.exe
SELECTION_15:
OriginalFileName: msiexec.exe
SELECTION_16:
OriginalFileName: 7z.exe
SELECTION_17:
OriginalFileName: winrar.exe
SELECTION_18:
OriginalFileName: wevtutil.exe
SELECTION_19:
OriginalFileName: net.exe
SELECTION_2:
OriginalFileName: cmd.exe
SELECTION_20:
OriginalFileName: net1.exe
SELECTION_21:
OriginalFileName: netsh.exe
SELECTION_22:
Image: '*\cmd.exe'
SELECTION_23:
Image: '*\powershell.exe'
SELECTION_24:
Image: '*\powershell_ise.exe'
SELECTION_25:
Image: '*\psexec.exe'
SELECTION_26:
Image: '*\psexec64.exe'
SELECTION_27:
Image: '*\cscript.exe'
SELECTION_28:
Image: '*\wscript.exe'
SELECTION_29:
Image: '*\mshta.exe'
SELECTION_3:
OriginalFileName: powershell.exe
SELECTION_30:
Image: '*\regsvr32.exe'
SELECTION_31:
Image: '*\wmic.exe'
SELECTION_32:
Image: '*\certutil.exe'
SELECTION_33:
Image: '*\rundll32.exe'
SELECTION_34:
Image: '*\cmstp.exe'
SELECTION_35:
Image: '*\msiexec.exe'
SELECTION_36:
Image: '*\7z.exe'
SELECTION_37:
Image: '*\winrar.exe'
SELECTION_38:
Image: '*\wevtutil.exe'
SELECTION_39:
Image: '*\net.exe'
SELECTION_4:
OriginalFileName: powershell_ise.exe
SELECTION_40:
Image: '*\net1.exe'
SELECTION_41:
Image: '*\netsh.exe'
SELECTION_5:
OriginalFileName: psexec.exe
SELECTION_6:
OriginalFileName: psexec.c
SELECTION_7:
OriginalFileName: cscript.exe
SELECTION_8:
OriginalFileName: wscript.exe
SELECTION_9:
OriginalFileName: mshta.exe
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21) and not ((SELECTION_22 or SELECTION_23 or SELECTION_24 or
SELECTION_25 or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29
or SELECTION_30 or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34
or SELECTION_35 or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39
or SELECTION_40 or SELECTION_41)))
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically
this is easy to spot and add to whitelist
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
level: medium
logsource:
category: process_creation
product: windows
modified: 2020/09/06
references:
- https://attack.mitre.org/techniques/T1036/
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1036
- attack.t1036.003
yml_filename: win_renamed_binary.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
Reference in New Issue View Git Blame Copy Permalink