Rename System Utilities
Id | 335ddff8-b615-42cd-b593-86e419b45d78 |
Rulename | Rename System Utilities |
Description | Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames. This rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn’t match the original filename. This query is really heavy on resources. Use it with care. |
Severity | Medium |
Tactics | DefenseEvasion |
Techniques | T1036.003 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RenameSystemUtilities.yaml |
Version | 1.0.0 |
Arm template | 335ddff8-b615-42cd-b593-86e419b45d78.json |
// Removed update.exe as LOLBIN. It's a way too generic name and causes a lot of noise.
let lolbin = dynamic(["At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertReq.exe", "Certutil.exe", "Cmd.exe", "Cmdkey.exe", "Cmstp.exe", "Control.exe", "Csc.exe", "Cscript.exe", "Desktopimgdownldr.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Forfiles.exe", "Ftp.exe", "GfxDownloadWrapper.exe", "Gpscript.exe", "Hh.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Makecab.exe", "Mavinject.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Presentationhost.exe", "Print.exe", "Psr.exe", "Rasautou.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "Wmic.exe", "Wscript.exe", "Wsreset.exe", "Xwizard.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "csi.exe", "Devtoolslauncher.exe", "dnx.exe", "Dotnet.exe", "Dxcap.exe", "Excel.exe", "Mftrace.exe", "Msdeploy.exe", "msxsl.exe", "ntdsutil.exe", "Powerpnt.exe", "rcsi.exe", "Sqldumper.exe", "Sqlps.exe", "SQLToolsPS.exe", "Squirrel.exe", "te.exe", "Tracker.exe", "vsjitdebugger.exe", "Winword.exe", "Wsl.exe"]);
let allHashesLolbin = materialize(
DeviceProcessEvents
| where FileName in~ (lolbin) and not(isempty(SHA1))
| extend OriginalFilename = tolower(FileName)
| summarize by SHA1, OriginalFilename);
allHashesLolbin
| join kind=inner hint.strategy = broadcast DeviceProcessEvents on SHA1
| where FileName !~ OriginalFilename
| where not(OriginalFilename =~ "bash.exe" and FileName =~ "sh.exe")
| extend message=strcat("Usage of ", OriginalFilename, ". Renamed as ", FileName)
| project-reorder message
relevantTechniques:
- T1036.003
queryPeriod: 1d
tactics:
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
entityType: Host
- fieldMappings:
- identifier: Sid
columnName: AccountSid
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
entityType: Account
- fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
entityType: Process
name: Rename System Utilities
status: Available
query: |
// Removed update.exe as LOLBIN. It's a way too generic name and causes a lot of noise.
let lolbin = dynamic(["At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertReq.exe", "Certutil.exe", "Cmd.exe", "Cmdkey.exe", "Cmstp.exe", "Control.exe", "Csc.exe", "Cscript.exe", "Desktopimgdownldr.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Forfiles.exe", "Ftp.exe", "GfxDownloadWrapper.exe", "Gpscript.exe", "Hh.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Makecab.exe", "Mavinject.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Presentationhost.exe", "Print.exe", "Psr.exe", "Rasautou.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "Wmic.exe", "Wscript.exe", "Wsreset.exe", "Xwizard.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "csi.exe", "Devtoolslauncher.exe", "dnx.exe", "Dotnet.exe", "Dxcap.exe", "Excel.exe", "Mftrace.exe", "Msdeploy.exe", "msxsl.exe", "ntdsutil.exe", "Powerpnt.exe", "rcsi.exe", "Sqldumper.exe", "Sqlps.exe", "SQLToolsPS.exe", "Squirrel.exe", "te.exe", "Tracker.exe", "vsjitdebugger.exe", "Winword.exe", "Wsl.exe"]);
let allHashesLolbin = materialize(
DeviceProcessEvents
| where FileName in~ (lolbin) and not(isempty(SHA1))
| extend OriginalFilename = tolower(FileName)
| summarize by SHA1, OriginalFilename);
allHashesLolbin
| join kind=inner hint.strategy = broadcast DeviceProcessEvents on SHA1
| where FileName !~ OriginalFilename
| where not(OriginalFilename =~ "bash.exe" and FileName =~ "sh.exe")
| extend message=strcat("Usage of ", OriginalFilename, ". Renamed as ", FileName)
| project-reorder message
queryFrequency: 1d
id: 335ddff8-b615-42cd-b593-86e419b45d78
severity: Medium
description: |
Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames.
This rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn't match the original filename.
This query is really heavy on resources. Use it with care.
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RenameSystemUtilities.yaml
kind: Scheduled
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/335ddff8-b615-42cd-b593-86e419b45d78')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/335ddff8-b615-42cd-b593-86e419b45d78')]",
"properties": {
"alertRuleTemplateName": "335ddff8-b615-42cd-b593-86e419b45d78",
"customDetails": null,
"description": "Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames.\nThis rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn't match the original filename. \nThis query is really heavy on resources. Use it with care.\n",
"displayName": "Rename System Utilities",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountSid",
"identifier": "Sid"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RenameSystemUtilities.yaml",
"query": "// Removed update.exe as LOLBIN. It's a way too generic name and causes a lot of noise. \nlet lolbin = dynamic([\"At.exe\", \"Atbroker.exe\", \"Bash.exe\", \"Bitsadmin.exe\", \"CertReq.exe\", \"Certutil.exe\", \"Cmd.exe\", \"Cmdkey.exe\", \"Cmstp.exe\", \"Control.exe\", \"Csc.exe\", \"Cscript.exe\", \"Desktopimgdownldr.exe\", \"Dfsvc.exe\", \"Diantz.exe\", \"Diskshadow.exe\", \"Dnscmd.exe\", \"Esentutl.exe\", \"Eventvwr.exe\", \"Expand.exe\", \"Extexport.exe\", \"Extrac32.exe\", \"Findstr.exe\", \"Forfiles.exe\", \"Ftp.exe\", \"GfxDownloadWrapper.exe\", \"Gpscript.exe\", \"Hh.exe\", \"Ie4uinit.exe\", \"Ieexec.exe\", \"Ilasm.exe\", \"Infdefaultinstall.exe\", \"Installutil.exe\", \"Jsc.exe\", \"Makecab.exe\", \"Mavinject.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Mmc.exe\", \"MpCmdRun.exe\", \"Msbuild.exe\", \"Msconfig.exe\", \"Msdt.exe\", \"Mshta.exe\", \"Msiexec.exe\", \"Netsh.exe\", \"Odbcconf.exe\", \"Pcalua.exe\", \"Pcwrun.exe\", \"Pktmon.exe\", \"Presentationhost.exe\", \"Print.exe\", \"Psr.exe\", \"Rasautou.exe\", \"Reg.exe\", \"Regasm.exe\", \"Regedit.exe\", \"Regini.exe\", \"Register-cimprovider.exe\", \"Regsvcs.exe\", \"Regsvr32.exe\", \"Replace.exe\", \"Rpcping.exe\", \"Rundll32.exe\", \"Runonce.exe\", \"Runscripthelper.exe\", \"Sc.exe\", \"Schtasks.exe\", \"Scriptrunner.exe\", \"SyncAppvPublishingServer.exe\", \"Ttdinject.exe\", \"Tttracer.exe\", \"vbc.exe\", \"Verclsid.exe\", \"Wab.exe\", \"Wmic.exe\", \"Wscript.exe\", \"Wsreset.exe\", \"Xwizard.exe\", \"AgentExecutor.exe\", \"Appvlp.exe\", \"Bginfo.exe\", \"Cdb.exe\", \"csi.exe\", \"Devtoolslauncher.exe\", \"dnx.exe\", \"Dotnet.exe\", \"Dxcap.exe\", \"Excel.exe\", \"Mftrace.exe\", \"Msdeploy.exe\", \"msxsl.exe\", \"ntdsutil.exe\", \"Powerpnt.exe\", \"rcsi.exe\", \"Sqldumper.exe\", \"Sqlps.exe\", \"SQLToolsPS.exe\", \"Squirrel.exe\", \"te.exe\", \"Tracker.exe\", \"vsjitdebugger.exe\", \"Winword.exe\", \"Wsl.exe\"]); \nlet allHashesLolbin = materialize(\nDeviceProcessEvents\n| where FileName in~ (lolbin) and not(isempty(SHA1))\n| extend OriginalFilename = tolower(FileName)\n| summarize by SHA1, OriginalFilename);\nallHashesLolbin\n| join kind=inner hint.strategy = broadcast DeviceProcessEvents on SHA1\n| where FileName !~ OriginalFilename\n| where not(OriginalFilename =~ \"bash.exe\" and FileName =~ \"sh.exe\")\n| extend message=strcat(\"Usage of \", OriginalFilename, \". Renamed as \", FileName)\n| project-reorder message\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1036"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}