Rename System Utilities
Id | 335ddff8-b615-42cd-b593-86e419b45d78 |
Rulename | Rename System Utilities |
Description | Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames. This rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn’t match the original filename. This query is really heavy on resources. Use it with care. |
Severity | Medium |
Tactics | DefenseEvasion |
Techniques | T1036.003 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RenameSystemUtilities.yaml |
Version | 1.0.0 |
Arm template | 335ddff8-b615-42cd-b593-86e419b45d78.json |
// Removed update.exe as LOLBIN. It's a way too generic name and causes a lot of noise.
let lolbin = dynamic(["At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertReq.exe", "Certutil.exe", "Cmd.exe", "Cmdkey.exe", "Cmstp.exe", "Control.exe", "Csc.exe", "Cscript.exe", "Desktopimgdownldr.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Forfiles.exe", "Ftp.exe", "GfxDownloadWrapper.exe", "Gpscript.exe", "Hh.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Makecab.exe", "Mavinject.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Presentationhost.exe", "Print.exe", "Psr.exe", "Rasautou.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "Wmic.exe", "Wscript.exe", "Wsreset.exe", "Xwizard.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "csi.exe", "Devtoolslauncher.exe", "dnx.exe", "Dotnet.exe", "Dxcap.exe", "Excel.exe", "Mftrace.exe", "Msdeploy.exe", "msxsl.exe", "ntdsutil.exe", "Powerpnt.exe", "rcsi.exe", "Sqldumper.exe", "Sqlps.exe", "SQLToolsPS.exe", "Squirrel.exe", "te.exe", "Tracker.exe", "vsjitdebugger.exe", "Winword.exe", "Wsl.exe"]);
let allHashesLolbin = materialize(
DeviceProcessEvents
| where FileName in~ (lolbin) and not(isempty(SHA1))
| extend OriginalFilename = tolower(FileName)
| summarize by SHA1, OriginalFilename);
allHashesLolbin
| join kind=inner hint.strategy = broadcast DeviceProcessEvents on SHA1
| where FileName !~ OriginalFilename
| where not(OriginalFilename =~ "bash.exe" and FileName =~ "sh.exe")
| extend message=strcat("Usage of ", OriginalFilename, ". Renamed as ", FileName)
| project-reorder message
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RenameSystemUtilities.yaml
severity: Medium
name: Rename System Utilities
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- entityType: Account
fieldMappings:
- columnName: AccountSid
identifier: Sid
- columnName: AccountName
identifier: Name
- columnName: AccountDomain
identifier: NTDomain
- entityType: Process
fieldMappings:
- columnName: ProcessCommandLine
identifier: CommandLine
relevantTechniques:
- T1036.003
queryFrequency: 1d
triggerThreshold: 0
queryPeriod: 1d
description: |
Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames.
This rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn't match the original filename.
This query is really heavy on resources. Use it with care.
id: 335ddff8-b615-42cd-b593-86e419b45d78
version: 1.0.0
tactics:
- DefenseEvasion
query: |
// Removed update.exe as LOLBIN. It's a way too generic name and causes a lot of noise.
let lolbin = dynamic(["At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertReq.exe", "Certutil.exe", "Cmd.exe", "Cmdkey.exe", "Cmstp.exe", "Control.exe", "Csc.exe", "Cscript.exe", "Desktopimgdownldr.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Forfiles.exe", "Ftp.exe", "GfxDownloadWrapper.exe", "Gpscript.exe", "Hh.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Makecab.exe", "Mavinject.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Presentationhost.exe", "Print.exe", "Psr.exe", "Rasautou.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "Wmic.exe", "Wscript.exe", "Wsreset.exe", "Xwizard.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "csi.exe", "Devtoolslauncher.exe", "dnx.exe", "Dotnet.exe", "Dxcap.exe", "Excel.exe", "Mftrace.exe", "Msdeploy.exe", "msxsl.exe", "ntdsutil.exe", "Powerpnt.exe", "rcsi.exe", "Sqldumper.exe", "Sqlps.exe", "SQLToolsPS.exe", "Squirrel.exe", "te.exe", "Tracker.exe", "vsjitdebugger.exe", "Winword.exe", "Wsl.exe"]);
let allHashesLolbin = materialize(
DeviceProcessEvents
| where FileName in~ (lolbin) and not(isempty(SHA1))
| extend OriginalFilename = tolower(FileName)
| summarize by SHA1, OriginalFilename);
allHashesLolbin
| join kind=inner hint.strategy = broadcast DeviceProcessEvents on SHA1
| where FileName !~ OriginalFilename
| where not(OriginalFilename =~ "bash.exe" and FileName =~ "sh.exe")
| extend message=strcat("Usage of ", OriginalFilename, ". Renamed as ", FileName)
| project-reorder message
status: Available
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/335ddff8-b615-42cd-b593-86e419b45d78')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/335ddff8-b615-42cd-b593-86e419b45d78')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Rename System Utilities",
"description": "Attackers often use LOLBINs that are renamed to avoid detection rules that are based on filenames.\nThis rule detects renamed LOLBINs by first searching for all the known SHA1 hashes of the LOLBINs in your DeviceProcessEvents. This list is then used as reference to find other files executed which have a name that doesn't match the original filename. \nThis query is really heavy on resources. Use it with care.\n",
"severity": "Medium",
"enabled": true,
"query": "// Removed update.exe as LOLBIN. It's a way too generic name and causes a lot of noise. \nlet lolbin = dynamic([\"At.exe\", \"Atbroker.exe\", \"Bash.exe\", \"Bitsadmin.exe\", \"CertReq.exe\", \"Certutil.exe\", \"Cmd.exe\", \"Cmdkey.exe\", \"Cmstp.exe\", \"Control.exe\", \"Csc.exe\", \"Cscript.exe\", \"Desktopimgdownldr.exe\", \"Dfsvc.exe\", \"Diantz.exe\", \"Diskshadow.exe\", \"Dnscmd.exe\", \"Esentutl.exe\", \"Eventvwr.exe\", \"Expand.exe\", \"Extexport.exe\", \"Extrac32.exe\", \"Findstr.exe\", \"Forfiles.exe\", \"Ftp.exe\", \"GfxDownloadWrapper.exe\", \"Gpscript.exe\", \"Hh.exe\", \"Ie4uinit.exe\", \"Ieexec.exe\", \"Ilasm.exe\", \"Infdefaultinstall.exe\", \"Installutil.exe\", \"Jsc.exe\", \"Makecab.exe\", \"Mavinject.exe\", \"Microsoft.Workflow.Compiler.exe\", \"Mmc.exe\", \"MpCmdRun.exe\", \"Msbuild.exe\", \"Msconfig.exe\", \"Msdt.exe\", \"Mshta.exe\", \"Msiexec.exe\", \"Netsh.exe\", \"Odbcconf.exe\", \"Pcalua.exe\", \"Pcwrun.exe\", \"Pktmon.exe\", \"Presentationhost.exe\", \"Print.exe\", \"Psr.exe\", \"Rasautou.exe\", \"Reg.exe\", \"Regasm.exe\", \"Regedit.exe\", \"Regini.exe\", \"Register-cimprovider.exe\", \"Regsvcs.exe\", \"Regsvr32.exe\", \"Replace.exe\", \"Rpcping.exe\", \"Rundll32.exe\", \"Runonce.exe\", \"Runscripthelper.exe\", \"Sc.exe\", \"Schtasks.exe\", \"Scriptrunner.exe\", \"SyncAppvPublishingServer.exe\", \"Ttdinject.exe\", \"Tttracer.exe\", \"vbc.exe\", \"Verclsid.exe\", \"Wab.exe\", \"Wmic.exe\", \"Wscript.exe\", \"Wsreset.exe\", \"Xwizard.exe\", \"AgentExecutor.exe\", \"Appvlp.exe\", \"Bginfo.exe\", \"Cdb.exe\", \"csi.exe\", \"Devtoolslauncher.exe\", \"dnx.exe\", \"Dotnet.exe\", \"Dxcap.exe\", \"Excel.exe\", \"Mftrace.exe\", \"Msdeploy.exe\", \"msxsl.exe\", \"ntdsutil.exe\", \"Powerpnt.exe\", \"rcsi.exe\", \"Sqldumper.exe\", \"Sqlps.exe\", \"SQLToolsPS.exe\", \"Squirrel.exe\", \"te.exe\", \"Tracker.exe\", \"vsjitdebugger.exe\", \"Winword.exe\", \"Wsl.exe\"]); \nlet allHashesLolbin = materialize(\nDeviceProcessEvents\n| where FileName in~ (lolbin) and not(isempty(SHA1))\n| extend OriginalFilename = tolower(FileName)\n| summarize by SHA1, OriginalFilename);\nallHashesLolbin\n| join kind=inner hint.strategy = broadcast DeviceProcessEvents on SHA1\n| where FileName !~ OriginalFilename\n| where not(OriginalFilename =~ \"bash.exe\" and FileName =~ \"sh.exe\")\n| extend message=strcat(\"Usage of \", OriginalFilename, \". Renamed as \", FileName)\n| project-reorder message\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1036.003"
],
"alertRuleTemplateName": "335ddff8-b615-42cd-b593-86e419b45d78",
"customDetails": null,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "DeviceName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "Sid",
"columnName": "AccountSid"
},
{
"identifier": "Name",
"columnName": "AccountName"
},
{
"identifier": "NTDomain",
"columnName": "AccountDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"identifier": "CommandLine",
"columnName": "ProcessCommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/RenameSystemUtilities.yaml",
"status": "Available",
"templateVersion": "1.0.0"
}
}
]
}