Analytics Story: Masquerading - Rename System Utilities

Description

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

Why it matters

Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. The following content is here to assist with binaries within system32 or syswow64 being moved to a new location or an adversary bringing a the binary in to execute. There will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Execution of File With Spaces Before Extension Rename System Utilities TTP
Suspicious Rundll32 Rename System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities Hunting
Execution of File with Multiple Extensions Masquerading, Rename System Utilities TTP
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal TTP
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows LOLBAS Executed As Renamed File Masquerading, Rename System Utilities, Rundll32 TTP
Windows LOLBAS Executed Outside Expected Path Masquerading, Match Legitimate Name or Location, Rundll32 TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1