Find sigma rule 
Attack: Masquerading: Rename System Utilities
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
MITRE
Tactic
- defense-evasion
technique
- T1036.003
Test : File Extension Masquerading
OS
- windows
Description:
download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
Executor
command_prompt
Sigma Rule
-
proc_creation_win_susp_copy_system_dir.yml (id: fff9d2b7-e11c-4a69-93d3-40ef66189767)
-
proc_creation_win_calc_uncommon_exec.yml (id: 737e618a-a410-49b5-bec3-9e55ff7fbc15)
-
proc_creation_win_hostname_execution.yml (id: 7be5fb68-f9ef-476d-8b51-0256ebece19e)
-
proc_creation_win_whoami_execution.yml (id: e28a5a99-da44-436d-b7a0-2afc20a5f413)
-
proc_creation_win_susp_local_system_owner_account_discovery.yml (id: 502b42de-4306-40b4-9596-6f590c81f073)
-
proc_creation_win_powershell_abnormal_commandline_size.yml (id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6)
-
proc_creation_win_susp_double_extension.yml (id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8)
-
proc_creation_win_wscript_cscript_dropper.yml (id: cea72823-df4d-4567-950c-0b579eaf0846)
-
proc_creation_win_susp_script_exec_from_temp.yml (id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33)
-
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)