Detect Rename Legitimate Utilities in Elastic Security
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing, including PSExec, certutil, rundll32, and mshta. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.003 Rename Legitimate Utilities
- Canonical reference
- https://attack.mitre.org/techniques/T1036/003/
Elastic Detection Query
process where event.type == "start" and
process.pe.original_file_name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "mshta.exe", "certutil.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msbuild.exe", "psexec.exe", "psexesvc.exe", "bitsadmin.exe", "wmic.exe") and
not process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "mshta.exe", "certutil.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msbuild.exe", "psexec.exe", "psexesvc.exe", "bitsadmin.exe", "wmic.exe")Detects renamed legitimate Windows system utilities by comparing the PE header OriginalFileName field (process.pe.original_file_name) against the actual on-disk process filename (process.name) using Elastic Common Schema fields. Fires when a monitored LOLBin is identified by its embedded PE version resource but the executing filename does not match, indicating T1036.003 defense evasion. Requires Elastic Endpoint agent or Winlogbeat with Sysmon module ingesting process creation events.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise endpoint management agents (SCCM, Tanium, CrowdStrike Falcon sensor) that internally bundle or invoke renamed copies of system utilities as part of their own installation or operational workflows
- Software installers that temporarily extract and rename cmd.exe or powershell.exe under custom names during multi-stage or self-extracting archive installation processes
- Authorized red team or penetration testing operations that rename system utilities as part of an approved engagement scope — correlate with change management or pentest scheduling records
Other platforms for T1036.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rename cmd.exe and Execute
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\notcmd.exe, OriginalFileName=Cmd.Exe. The OriginalFileName mismatch is the key detection indicator.
- Test 2Rename certutil.exe for Download Cradle
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\cert_helper.exe, OriginalFileName=CertUtil.exe, CommandLine containing -urlcache. Network connection event (Sysmon ID 3) to 127.0.0.1.
- Test 3Rename rundll32.exe for Proxy Execution
Expected signal: Sysmon Event ID 1: Process Create with Image in ProgramData, OriginalFileName=RUNDLL32.EXE. File creation event for dbengin.exe in the PlayReady directory.
References (7)
- https://attack.mitre.org/techniques/T1036/003/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://lolbas-project.github.io/
- https://www.f-secure.com/documents/996508/1030745/CozyDuke
- https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
- https://x.com/ItsReallyNick/status/1055321652777619457
Unlock Pro Content
Get the full detection package for T1036.003 including response playbook, investigation guide, and atomic red team tests.