T1036.003 CrowdStrike LogScale · LogScale

Detect Rename Legitimate Utilities in CrowdStrike LogScale

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing, including PSExec, certutil, rundll32, and mshta. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.003 Rename Legitimate Utilities
Canonical reference
https://attack.mitre.org/techniques/T1036/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| OriginalFilename=/(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|rundll32\.exe|mshta\.exe|certutil\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msbuild\.exe|psexec\.exe|psexesvc\.exe|bitsadmin\.exe|wmic\.exe)$/
| LowerFileName := lower(FileName)
| !in(field=LowerFileName, values=["cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "mshta.exe", "certutil.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msbuild.exe", "psexec.exe", "psexesvc.exe", "bitsadmin.exe", "wmic.exe"])
| table([_time, ComputerName, UserName, FileName, OriginalFilename, CommandLine, ParentBaseFileName, SHA256HashData])
| sort(field=_time, order=desc)
high severity high confidence

CrowdStrike LogScale (CQL) query against Falcon sensor ProcessRollup2 process creation events that detects renamed legitimate Windows utilities. Matches on the PE OriginalFilename field using a case-insensitive regex for monitored LOLBins, then derives a lowercase version of the actual FileName field and uses the !in() filter to exclude events where the filename already matches the expected name, surfacing only instances where a utility was renamed before execution. Requires CrowdStrike Falcon sensor with Endpoint Activity Monitoring (EAM) and PE metadata enrichment enabled in the policy.

Data Sources

CrowdStrike Falcon sensor ProcessRollup2 events (Endpoint Activity Monitoring must be enabled)CrowdStrike Falcon Data Replicator (FDR) stream ingested into LogScale / Humio

Required Tables

ProcessRollup2 Falcon event stream (#event_simpleName=ProcessRollup2)

False Positives & Tuning

  • Managed service provider RMM agents (ConnectWise Automate, Datto RMM, NinjaRMM) that ship renamed administrative utilities as part of self-contained agent packages installed on managed endpoints
  • Software update and patch management mechanisms that extract and temporarily rename Windows system tools to staging directories before in-place replacement during update cycles
  • Container or VM management tools (Docker Desktop for Windows, Hyper-V management utilities) that copy and rename system utilities into isolated execution environments for compatibility purposes
Download portable Sigma rule (.yml)

Other platforms for T1036.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rename cmd.exe and Execute

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\notcmd.exe, OriginalFileName=Cmd.Exe. The OriginalFileName mismatch is the key detection indicator.

  2. Test 2Rename certutil.exe for Download Cradle

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\cert_helper.exe, OriginalFileName=CertUtil.exe, CommandLine containing -urlcache. Network connection event (Sysmon ID 3) to 127.0.0.1.

  3. Test 3Rename rundll32.exe for Proxy Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image in ProgramData, OriginalFileName=RUNDLL32.EXE. File creation event for dbengin.exe in the PlayReady directory.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.005Match Legitimate Resource Name or LocationT1218System Binary Proxy ExecutionT1218.011Rundll32T1218.005MshtaT1105Ingress Tool TransferT1059.001PowerShellT1569.002Service Execution

Same Tactic: Defense Evasion

Popular Detections