Skip to content
Threat Feed
high advisory

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

This brief details a defense evasion technique where attackers rename legitimate Windows system binaries to mask malicious activity, bypassing security solutions that rely on process names for detection.

This brief details a common defense evasion technique employed by various threat actors and malware, which involves renaming legitimate Windows system binaries (such as powershell.exe, certutil.exe, or rundll32.exe) to mask their malicious activity. By altering the filename, attackers attempt to bypass security solutions that rely on process names for detection, whitelisting, or behavioral analysis. This technique is crucial for defenders to address as it allows the abuse of trusted processes for malicious ends, enabling subsequent actions like persistence or execution without immediate detection. Detection leverages the OriginalFileName field in Sysmon events, which retains the original name of the executable regardless of its current filename, providing a robust way to identify this stealthy behavior. This method has been observed in various campaigns, including ransomware like MegaCortex.

Attack Chain

  1. Initial Access: An attacker gains initial access to a target system through various means (e.g., phishing, exploiting a vulnerability).
  2. Staging Malicious Binary: The attacker transfers or creates a malicious payload or script on the compromised system.
  3. Identify Legitimate Binary: The attacker identifies a legitimate, trusted Windows system binary, such as powershell.exe, certutil.exe, or rundll32.exe, commonly used for system administration.
  4. Rename Binary for Evasion: The attacker copies the legitimate binary and renames the copy to a less suspicious name (e.g., powershell.exe renamed to update.exe or svchost.exe).
  5. Execute Renamed Binary: The attacker executes the renamed binary (e.g., update.exe) to carry out malicious operations, such as executing a script, downloading additional payloads, or performing lateral movement.
  6. Defense Evasion: The renamed process runs with the functionality of the original system binary but appears as a different, potentially benign, process name to security tools that do not inspect the OriginalFileName metadata.
  7. Achieve Objective: This evasion enables the attacker to achieve their objectives, such as establishing persistence, escalating privileges, exfiltrating data, or deploying ransomware, with a reduced risk of detection.

Impact

If this defense evasion technique is successful, attackers can execute powerful system tools under disguise, significantly increasing the likelihood of successful persistence, lateral movement, or data exfiltration without triggering process-name-based security alerts. This can extend an attacker's dwell time and the scope of compromise, as seen in ransomware attacks like MegaCortex which utilized this method to distribute payloads. The ability to masquerade malicious activity under the guise of legitimate processes directly undermines the effectiveness of security monitoring and incident response efforts.

Recommendation

  • Deploy the provided Sigma rule (Potential Defense Evasion Via Rename Of Highly Relevant Binaries) to your SIEM.
  • Ensure Sysmon is configured to log process creation events (EventID 1) including the OriginalFileName field, which is critical for the detection rule.
  • Tune the rule for your environment by analyzing falsepositives described in the rule, such as custom applications that rename binaries, and add specific exclusions if necessary.
  • Prioritize investigation of alerts generated by the Potential Defense Evasion Via Rename Of Highly Relevant Binaries rule, as they indicate a strong likelihood of malicious activity.

Detection coverage 1

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

high

Detects the execution of a renamed binary often used by attackers or malware leveraging the Sysmon OriginalFileName datapoint to identify original process identity.

sigma tactics: stealth techniques: T1036.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →