T1036.003: Rename System Utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-347: Copied_Or_Renamed_Executable: A user started a suspicious process whose description is similar to that of another process

Detection

ID	DS0009	Data source and component	Process: Process Metadata	Description	Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files for unexpected modifications to file names that are mismatched between the file name on disk and that of the binary's PE metadata. This is a likely indicator that a binary was renamed after it was compiled. Note: There are no standard Windows events for file modification. However, Event ID 4663 (An attempt was made to access an object) can be used to audit and alert on attempts to access system utility binaries; the “Accesses” field can be used to filter by type of access (e.g., MODIFY vs DELETE).

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

ID	DS0022	Data source and component	File: File Metadata	Description	Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

ID	Data source and component	Description
DS0009	Process: Process Metadata	Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.
DS0022	File: File Modification	Monitor for changes made to files for unexpected modifications to file names that are mismatched between the file name on disk and that of the binary's PE metadata. This is a likely indicator that a binary was renamed after it was compiled. Note: There are no standard Windows events for file modification. However, Event ID 4663 (An attempt was made to access an object) can be used to audit and alert on attempts to access system utility binaries; the “Accesses” field can be used to filter by type of access (e.g., MODIFY vs DELETE).
DS0017	Command: Command Execution	Monitor executed commands and arguments that may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.
DS0022	File: File Metadata	Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Use file system access controls to protect folders such as C:\Windows\System32.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Use file system access controls to protect folders such as C:\Windows\System32.