Detect Rename Legitimate Utilities in Sumo Logic CSE
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing, including PSExec, certutil, rundll32, and mshta. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.003 Rename Legitimate Utilities
- Canonical reference
- https://attack.mitre.org/techniques/T1036/003/
Sumo Detection Query
_sourceCategory=*windows*sysmon* EventCode=1
| where OriginalFileName in ("Cmd.Exe","PowerShell.EXE","pwsh.dll","RUNDLL32.EXE","MSHTA.EXE","CertUtil.exe","wscript.exe","cscript.exe","REGSVR32.EXE","MSBuild.exe","PsExec.exe","bitsadmin.exe","wmic.exe")
| parse regex field=Image "(?<CurrentName>[^\\]+)$" nodrop
| where toLowerCase(CurrentName) != toLowerCase(OriginalFileName)
| table _time, host, User, Image, OriginalFileName, CurrentName, CommandLine, ParentImage, ParentCommandLine, Hashes
| sort by _time descSumo Logic query against Sysmon Event ID 1 logs that detects renamed legitimate Windows utilities. Extracts the trailing filename component from the Sysmon Image field using a regex capturing group matching all characters after the last backslash, then performs a case-insensitive comparison against the PE OriginalFileName field to surface mismatches. Requires Sumo Logic installed collector forwarding the Microsoft-Windows-Sysmon/Operational channel.
Data Sources
Required Tables
False Positives & Tuning
- Application virtualization solutions (Citrix App-V, Microsoft App-V) that execute system utilities through renamed container wrappers or compatibility shim layers
- Endpoint management platforms (Ivanti Endpoint Manager, Jamf for Windows) that ship bundled administrative utilities under proprietary executable names for agent operations
- DevOps build pipeline self-hosted agents (Jenkins, GitHub Actions, TeamCity) that rename system tools within isolated build workspace directories during compilation or test runs
Other platforms for T1036.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Rename cmd.exe and Execute
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\notcmd.exe, OriginalFileName=Cmd.Exe. The OriginalFileName mismatch is the key detection indicator.
- Test 2Rename certutil.exe for Download Cradle
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\cert_helper.exe, OriginalFileName=CertUtil.exe, CommandLine containing -urlcache. Network connection event (Sysmon ID 3) to 127.0.0.1.
- Test 3Rename rundll32.exe for Proxy Execution
Expected signal: Sysmon Event ID 1: Process Create with Image in ProgramData, OriginalFileName=RUNDLL32.EXE. File creation event for dbengin.exe in the PlayReady directory.
References (7)
- https://attack.mitre.org/techniques/T1036/003/
- https://www.elastic.co/blog/how-hunt-masquerade-ball
- https://lolbas-project.github.io/
- https://www.f-secure.com/documents/996508/1030745/CozyDuke
- https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
- https://x.com/ItsReallyNick/status/1055321652777619457
Unlock Pro Content
Get the full detection package for T1036.003 including response playbook, investigation guide, and atomic red team tests.