T1036.003 IBM QRadar · QRadar

Detect Rename Legitimate Utilities in IBM QRadar

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing, including PSExec, certutil, rundll32, and mshta. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.003 Rename Legitimate Utilities
Canonical reference
https://attack.mitre.org/techniques/T1036/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS User,
  "OriginalFileName",
  "Image" AS FullImagePath,
  "CommandLine",
  "ParentImage",
  "ParentCommandLine",
  LOGSOURCETYPENAME(logsourcetypeid) AS LogSourceType
FROM events
WHERE
  "EventCode" = '1'
  AND LOGSOURCETYPEID IN (12, 397)
  AND LOWER("OriginalFileName") IN (
    'cmd.exe', 'powershell.exe', 'pwsh.dll', 'rundll32.exe',
    'mshta.exe', 'certutil.exe', 'wscript.exe', 'cscript.exe',
    'regsvr32.exe', 'msbuild.exe', 'psexec.exe', 'psexesvc.exe',
    'bitsadmin.exe', 'wmic.exe'
  )
  AND NOT (
    "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\powershell.exe' OR
    "Image" ILIKE '%\\pwsh.exe' OR "Image" ILIKE '%\\rundll32.exe' OR
    "Image" ILIKE '%\\mshta.exe' OR "Image" ILIKE '%\\certutil.exe' OR
    "Image" ILIKE '%\\wscript.exe' OR "Image" ILIKE '%\\cscript.exe' OR
    "Image" ILIKE '%\\regsvr32.exe' OR "Image" ILIKE '%\\msbuild.exe' OR
    "Image" ILIKE '%\\psexec.exe' OR "Image" ILIKE '%\\psexesvc.exe' OR
    "Image" ILIKE '%\\bitsadmin.exe' OR "Image" ILIKE '%\\wmic.exe'
  )
LAST 24 HOURS
ORDER BY EventTime DESC
high severity medium confidence

AQL query for IBM QRadar that detects renamed legitimate Windows utilities ingested via Sysmon Event ID 1. Matches events where the PE OriginalFileName custom property identifies a monitored LOLBin but the full Image path does not end with the expected executable name, using ILIKE suffix matching as a portable alternative to regex extraction. Requires QRadar DSM parsing of Sysmon XML fields (OriginalFileName, Image, CommandLine, ParentImage) as custom event properties via WinCollect or syslog.

Data Sources

IBM QRadar with WinCollect agent collecting Sysmon/Operational channel (EventCode 1)QRadar DSM for Microsoft Windows with Sysmon custom property extraction rules

Required Tables

events (QRadar normalized event table)

False Positives & Tuning

  • Security product agents (EDR, AV, SIEM forwarders) that bundle renamed system utilities for self-contained cross-version compatibility within their own installation directories
  • Software deployment and patch management frameworks (SCCM, PDQ Deploy, Ansible) that stage renamed executables to temporary directories during package installation workflows
  • Custom enterprise PowerShell wrapper stubs that embed system utilities under proprietary names for centralized logging or access control enforcement
Download portable Sigma rule (.yml)

Other platforms for T1036.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Rename cmd.exe and Execute

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\notcmd.exe, OriginalFileName=Cmd.Exe. The OriginalFileName mismatch is the key detection indicator.

  2. Test 2Rename certutil.exe for Download Cradle

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\cert_helper.exe, OriginalFileName=CertUtil.exe, CommandLine containing -urlcache. Network connection event (Sysmon ID 3) to 127.0.0.1.

  3. Test 3Rename rundll32.exe for Proxy Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image in ProgramData, OriginalFileName=RUNDLL32.EXE. File creation event for dbengin.exe in the PlayReady directory.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.005Match Legitimate Resource Name or LocationT1218System Binary Proxy ExecutionT1218.011Rundll32T1218.005MshtaT1105Ingress Tool TransferT1059.001PowerShellT1569.002Service Execution

Same Tactic: Defense Evasion

Popular Detections