Find sigma rule

Attack: Masquerading: Rename System Utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)

MITRE

Tactic

defense-evasion

technique

T1036.003

Test : Masquerading - wscript.exe running as svchost.exe

OS

windows

Description:

Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.

Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder

Executor

command_prompt

Sigma Rule

proc_creation_win_susp_copy_system_dir.yml (id: fff9d2b7-e11c-4a69-93d3-40ef66189767)
file_event_win_creation_system_file.yml (id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d)
proc_creation_win_svchost_uncommon_parent_process.yml (id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d)
proc_creation_win_susp_system_exe_anomaly.yml (id: e4a6b256-3e47-40fc-89d2-7a477edd6915)
proc_creation_win_renamed_binary_highly_relevant.yml (id: 0ba1da6d-b6ce-4366-828c-18826c9de23e)
proc_creation_win_renamed_binary.yml (id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test