Detect Rename Legitimate Utilities in Microsoft Sentinel
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing, including PSExec, certutil, rundll32, and mshta. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.003 Rename Legitimate Utilities
- Canonical reference
- https://attack.mitre.org/techniques/T1036/003/
KQL Detection Query
let MonitoredUtilities = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "rundll32.exe", "mshta.exe", "certutil.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "msbuild.exe", "psexec.exe", "psexesvc.exe", "bitsadmin.exe", "wmic.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessVersionInfoOriginalFileName in~ (MonitoredUtilities)
| where FileName !in~ (MonitoredUtilities)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
ProcessVersionInfoOriginalFileName, ProcessVersionInfoProductName,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
SHA256
| sort by Timestamp descDetects renamed system utilities by comparing the OriginalFileName from PE metadata against the current file name on disk. When OriginalFileName matches a monitored utility (cmd.exe, rundll32.exe, certutil.exe, etc.) but the current filename does not match, the binary has been renamed. This is a high-fidelity detection used by APT groups including Lazarus Group, APT32, APT38, and menuPass.
Data Sources
Required Tables
False Positives & Tuning
- Software compatibility shims or wrappers that copy and rename system utilities as part of their normal operation
- Some application installers that bundle renamed copies of certutil.exe or other utilities for certificate management
- IT automation tools that copy system utilities to temporary directories with different names during deployment
- Windows Feature on Demand installations that may temporarily rename binaries
Other platforms for T1036.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rename cmd.exe and Execute
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\notcmd.exe, OriginalFileName=Cmd.Exe. The OriginalFileName mismatch is the key detection indicator.
- Test 2Rename certutil.exe for Download Cradle
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\cert_helper.exe, OriginalFileName=CertUtil.exe, CommandLine containing -urlcache. Network connection event (Sysmon ID 3) to 127.0.0.1.
- Test 3Rename rundll32.exe for Proxy Execution
Expected signal: Sysmon Event ID 1: Process Create with Image in ProgramData, OriginalFileName=RUNDLL32.EXE. File creation event for dbengin.exe in the PlayReady directory.
References (7)
- https://attack.mitre.org/techniques/T1036/003/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://lolbas-project.github.io/
- https://www.f-secure.com/documents/996508/1030745/CozyDuke
- https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
- https://x.com/ItsReallyNick/status/1055321652777619457
Unlock Pro Content
Get the full detection package for T1036.003 including response playbook, investigation guide, and atomic red team tests.