T1036.003 Google Chronicle · YARA-L

Detect Rename Legitimate Utilities in Google Chronicle

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing, including PSExec, certutil, rundll32, and mshta. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.003 Rename Legitimate Utilities
Canonical reference
https://attack.mitre.org/techniques/T1036/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule renamed_legitimate_utilities_t1036_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects renamed legitimate Windows system utilities via PE OriginalFileName vs actual process filename mismatch"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.003"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.target.process.file.pe_file.original_file_name,
      `(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|rundll32\.exe|mshta\.exe|certutil\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msbuild\.exe|psexec\.exe|psexesvc\.exe|bitsadmin\.exe|wmic\.exe)$`)
    not re.regex($e.target.process.file.names,
      `(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|rundll32\.exe|mshta\.exe|certutil\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msbuild\.exe|psexec\.exe|psexesvc\.exe|bitsadmin\.exe|wmic\.exe)$`)

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 detection rule that identifies renamed legitimate Windows utilities using UDM process launch events. Matches on the PE OriginalFileName UDM field (target.process.file.pe_file.original_file_name) for known LOLBins and negates events where the process file names repeated field already matches the expected executable name, surfacing only cases where the binary was renamed prior to execution. Requires Windows endpoint telemetry ingested via Chronicle forwarder or a Defender for Endpoint / Sysmon Chronicle connector with PE metadata enrichment.

Data Sources

Google Chronicle with Windows endpoint telemetry via Chronicle Universal ForwarderChronicle UDM events from Microsoft Defender for Endpoint or Sysmon via Chronicle ingestion connector with PE metadata enrichment enabled

Required Tables

Chronicle UDM PROCESS_LAUNCH events with target.process.file.pe_file.original_file_name populated

False Positives & Tuning

  • Enterprise UEM or MDM platforms (Microsoft Intune, VMware Workspace ONE UEM) that execute renamed system utilities during policy enforcement, compliance scanning, or device enrollment workflows
  • Google Chrome Enterprise distribution packages or third-party browser deployment tooling that bundles renamed Windows utilities for cross-version compatibility or sandboxed execution
  • Forensics and incident response collection toolkits that deliberately rename system utilities to staging directories for offline analysis or evidence preservation environments
Download portable Sigma rule (.yml)

Other platforms for T1036.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rename cmd.exe and Execute

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\notcmd.exe, OriginalFileName=Cmd.Exe. The OriginalFileName mismatch is the key detection indicator.

  2. Test 2Rename certutil.exe for Download Cradle

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\cert_helper.exe, OriginalFileName=CertUtil.exe, CommandLine containing -urlcache. Network connection event (Sysmon ID 3) to 127.0.0.1.

  3. Test 3Rename rundll32.exe for Proxy Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image in ProgramData, OriginalFileName=RUNDLL32.EXE. File creation event for dbengin.exe in the PlayReady directory.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.005Match Legitimate Resource Name or LocationT1218System Binary Proxy ExecutionT1218.011Rundll32T1218.005MshtaT1105Ingress Tool TransferT1059.001PowerShellT1569.002Service Execution

Same Tactic: Defense Evasion

Popular Detections