Detect Rename Legitimate Utilities in Splunk
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing, including PSExec, certutil, rundll32, and mshta. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.003 Rename Legitimate Utilities
- Canonical reference
- https://attack.mitre.org/techniques/T1036/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(OriginalFileName IN ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "RUNDLL32.EXE", "MSHTA.EXE", "CertUtil.exe", "wscript.exe", "cscript.exe", "REGSVR32.EXE", "MSBuild.exe", "PsExec.exe", "bitsadmin.exe", "wmic.exe"))
| eval CurrentName=mvindex(split(Image, "\\"), -1)
| where lower(CurrentName)!=lower(OriginalFileName)
| eval RenamedFrom=OriginalFileName, RenamedTo=CurrentName
| table _time, host, User, Image, RenamedFrom, RenamedTo, CommandLine, ParentImage, ParentCommandLine, Hashes
| sort - _timeDetects renamed legitimate utilities using Sysmon Event ID 1 OriginalFileName field. Compares the PE metadata OriginalFileName against the current image name on disk. Mismatches indicate the binary was renamed, a technique used by APT groups to bypass security tool monitoring of specific binary names.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software compatibility shims or wrappers that copy and rename system utilities
- Some application installers that bundle renamed copies of certutil.exe or other utilities
- IT automation tools that copy system utilities to temporary directories with different names
Other platforms for T1036.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rename cmd.exe and Execute
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\notcmd.exe, OriginalFileName=Cmd.Exe. The OriginalFileName mismatch is the key detection indicator.
- Test 2Rename certutil.exe for Download Cradle
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\cert_helper.exe, OriginalFileName=CertUtil.exe, CommandLine containing -urlcache. Network connection event (Sysmon ID 3) to 127.0.0.1.
- Test 3Rename rundll32.exe for Proxy Execution
Expected signal: Sysmon Event ID 1: Process Create with Image in ProgramData, OriginalFileName=RUNDLL32.EXE. File creation event for dbengin.exe in the PlayReady directory.
References (7)
- https://attack.mitre.org/techniques/T1036/003/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://lolbas-project.github.io/
- https://www.f-secure.com/documents/996508/1030745/CozyDuke
- https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
- https://x.com/ItsReallyNick/status/1055321652777619457
Unlock Pro Content
Get the full detection package for T1036.003 including response playbook, investigation guide, and atomic red team tests.