Try in Splunk Security Cloud

Description

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-04-26
  • Author: Michael Haag, Splunk
  • ID: f0258af4-a6ae-11eb-b3c2-acde48001122

Narrative

Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.
The following content is here to assist with binaries within system32 or syswow64 being moved to a new location or an adversary bringing a the binary in to execute.
There will be false positives as some native Windows processes are moved or ran by third party applications from different paths. If file names are mismatched between the file name on disk and that of the binarys PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.

Detections

Name Technique Type
Execution of File with Multiple Extensions Masquerading, Rename System Utilities TTP
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal on Host TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious Rundll32 Rename Signed Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities Hunting
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
System Process Running from Unexpected Location Masquerading Anomaly
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities TTP

Reference

source | version: 1