T1036.003 Rename Legitimate Utilities Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let MonitoredUtilities = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "mshta.exe", "certutil.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msbuild.exe", "psexec.exe", "psexesvc.exe", "bitsadmin.exe", "wmic.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessVersionInfoOriginalFileName in~ (MonitoredUtilities)
| where FileName !in~ (MonitoredUtilities)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         ProcessVersionInfoOriginalFileName, ProcessVersionInfoProductName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         SHA256
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Process: Process Metadata Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software compatibility shims or wrappers that copy and rename system utilities as part of their normal operation
Some application installers that bundle renamed copies of certutil.exe or other utilities for certificate management
IT automation tools that copy system utilities to temporary directories with different names during deployment
Windows Feature on Demand installations that may temporarily rename binaries

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (OriginalFileName IN ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "RUNDLL32.EXE", "MSHTA.EXE", "CertUtil.exe", "wscript.exe", "cscript.exe", "REGSVR32.EXE", "MSBuild.exe", "PsExec.exe", "bitsadmin.exe", "wmic.exe"))
| eval CurrentName=mvindex(split(Image, "\\"), -1)
| where lower(CurrentName)!=lower(OriginalFileName)
| eval RenamedFrom=OriginalFileName, RenamedTo=CurrentName
| table _time, host, User, Image, RenamedFrom, RenamedTo, CommandLine, ParentImage, ParentCommandLine, Hashes
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Process: Process Metadata Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software compatibility shims or wrappers that copy and rename system utilities
Some application installers that bundle renamed copies of certutil.exe or other utilities
IT automation tools that copy system utilities to temporary directories with different names

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.pe.original_file_name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "mshta.exe", "certutil.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msbuild.exe", "psexec.exe", "psexesvc.exe", "bitsadmin.exe", "wmic.exe") and
  not process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "mshta.exe", "certutil.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msbuild.exe", "psexec.exe", "psexesvc.exe", "bitsadmin.exe", "wmic.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security agent (logs-endpoint.events.process-*) Winlogbeat with Sysmon module — Sysmon Event ID 1 (logs-windows.sysmon_operational-*)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

Enterprise endpoint management agents (SCCM, Tanium, CrowdStrike Falcon sensor) that internally bundle or invoke renamed copies of system utilities as part of their own installation or operational workflows
Software installers that temporarily extract and rename cmd.exe or powershell.exe under custom names during multi-stage or self-extracting archive installation processes
Authorized red team or penetration testing operations that rename system utilities as part of an approved engagement scope — correlate with change management or pentest scheduling records

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS User,
  "OriginalFileName",
  "Image" AS FullImagePath,
  "CommandLine",
  "ParentImage",
  "ParentCommandLine",
  LOGSOURCETYPENAME(logsourcetypeid) AS LogSourceType
FROM events
WHERE
  "EventCode" = '1'
  AND LOGSOURCETYPEID IN (12, 397)
  AND LOWER("OriginalFileName") IN (
    'cmd.exe', 'powershell.exe', 'pwsh.dll', 'rundll32.exe',
    'mshta.exe', 'certutil.exe', 'wscript.exe', 'cscript.exe',
    'regsvr32.exe', 'msbuild.exe', 'psexec.exe', 'psexesvc.exe',
    'bitsadmin.exe', 'wmic.exe'
  )
  AND NOT (
    "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\powershell.exe' OR
    "Image" ILIKE '%\\pwsh.exe' OR "Image" ILIKE '%\\rundll32.exe' OR
    "Image" ILIKE '%\\mshta.exe' OR "Image" ILIKE '%\\certutil.exe' OR
    "Image" ILIKE '%\\wscript.exe' OR "Image" ILIKE '%\\cscript.exe' OR
    "Image" ILIKE '%\\regsvr32.exe' OR "Image" ILIKE '%\\msbuild.exe' OR
    "Image" ILIKE '%\\psexec.exe' OR "Image" ILIKE '%\\psexesvc.exe' OR
    "Image" ILIKE '%\\bitsadmin.exe' OR "Image" ILIKE '%\\wmic.exe'
  )
LAST 24 HOURS
ORDER BY EventTime DESC

high severity medium confidence

Data Sources

IBM QRadar with WinCollect agent collecting Sysmon/Operational channel (EventCode 1) QRadar DSM for Microsoft Windows with Sysmon custom property extraction rules

Required Tables

events (QRadar normalized event table)

False Positives

Security product agents (EDR, AV, SIEM forwarders) that bundle renamed system utilities for self-contained cross-version compatibility within their own installation directories
Software deployment and patch management frameworks (SCCM, PDQ Deploy, Ansible) that stage renamed executables to temporary directories during package installation workflows
Custom enterprise PowerShell wrapper stubs that embed system utilities under proprietary names for centralized logging or access control enforcement

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* EventCode=1
| where OriginalFileName in ("Cmd.Exe","PowerShell.EXE","pwsh.dll","RUNDLL32.EXE","MSHTA.EXE","CertUtil.exe","wscript.exe","cscript.exe","REGSVR32.EXE","MSBuild.exe","PsExec.exe","bitsadmin.exe","wmic.exe")
| parse regex field=Image "(?<CurrentName>[^\\]+)$" nodrop
| where toLowerCase(CurrentName) != toLowerCase(OriginalFileName)
| table _time, host, User, Image, OriginalFileName, CurrentName, CommandLine, ParentImage, ParentCommandLine, Hashes
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic installed collector — Microsoft-Windows-Sysmon/Operational event log channel Windows Event Log source configured with _sourceCategory containing 'windows' and 'sysmon'

Required Tables

_sourceCategory=*windows*sysmon* (Sysmon Event ID 1 process creation events)

False Positives

Application virtualization solutions (Citrix App-V, Microsoft App-V) that execute system utilities through renamed container wrappers or compatibility shim layers
Endpoint management platforms (Ivanti Endpoint Manager, Jamf for Windows) that ship bundled administrative utilities under proprietary executable names for agent operations
DevOps build pipeline self-hosted agents (Jenkins, GitHub Actions, TeamCity) that rename system tools within isolated build workspace directories during compilation or test runs

Google Chronicle / SecOps

yaral

rule renamed_legitimate_utilities_t1036_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects renamed legitimate Windows system utilities via PE OriginalFileName vs actual process filename mismatch"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.003"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.pe_file.original_file_name,
      `(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|rundll32\.exe|mshta\.exe|certutil\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msbuild\.exe|psexec\.exe|psexesvc\.exe|bitsadmin\.exe|wmic\.exe)$`)
    not re.regex($e.target.process.file.names,
      `(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|rundll32\.exe|mshta\.exe|certutil\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msbuild\.exe|psexec\.exe|psexesvc\.exe|bitsadmin\.exe|wmic\.exe)$`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle with Windows endpoint telemetry via Chronicle Universal Forwarder Chronicle UDM events from Microsoft Defender for Endpoint or Sysmon via Chronicle ingestion connector with PE metadata enrichment enabled

Required Tables

Chronicle UDM PROCESS_LAUNCH events with target.process.file.pe_file.original_file_name populated

False Positives

Enterprise UEM or MDM platforms (Microsoft Intune, VMware Workspace ONE UEM) that execute renamed system utilities during policy enforcement, compliance scanning, or device enrollment workflows
Google Chrome Enterprise distribution packages or third-party browser deployment tooling that bundles renamed Windows utilities for cross-version compatibility or sandboxed execution
Forensics and incident response collection toolkits that deliberately rename system utilities to staging directories for offline analysis or evidence preservation environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| OriginalFilename=/(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|rundll32\.exe|mshta\.exe|certutil\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msbuild\.exe|psexec\.exe|psexesvc\.exe|bitsadmin\.exe|wmic\.exe)$/
| LowerFileName := lower(FileName)
| !in(field=LowerFileName, values=["cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "mshta.exe", "certutil.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msbuild.exe", "psexec.exe", "psexesvc.exe", "bitsadmin.exe", "wmic.exe"])
| table([_time, ComputerName, UserName, FileName, OriginalFilename, CommandLine, ParentBaseFileName, SHA256HashData])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor ProcessRollup2 events (Endpoint Activity Monitoring must be enabled) CrowdStrike Falcon Data Replicator (FDR) stream ingested into LogScale / Humio

Required Tables

ProcessRollup2 Falcon event stream (#event_simpleName=ProcessRollup2)

False Positives

Managed service provider RMM agents (ConnectWise Automate, Datto RMM, NinjaRMM) that ship renamed administrative utilities as part of self-contained agent packages installed on managed endpoints
Software update and patch management mechanisms that extract and temporarily rename Windows system tools to staging directories before in-place replacement during update cycles
Container or VM management tools (Docker Desktop for Windows, Hyper-V management utilities) that copy and rename system utilities into isolated execution environments for compatibility purposes

Rename Legitimate Utilities

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections