Find Processes with Renamed Executables

Description

Oftentimes, attackers will execute a temporary file, and rename it to something innocuous (e.g. svchost.exe) to maintain persistence. This search will look for renamed executables. (MITRE CAR Reference)


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Security Impact

Often when we investigate malware, we look for filenames that have different hashes, but the same filenames. This could point to either a legitimate binary update activity, or it could be a malicious process masquerading as a legitimate one. But what about executables that have different filenames, but the same hash? This could be malware renaming itself to masquerade as something benign. In the example here, we see a .tmp file dumped into a roaming directory that later on gets renamed as a legitimate Windows executable - but it has the same hash as before. This warrants investigation.

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Masquerading

MITRE Threat Groups

APT1
APT32
APT41
BRONZE BUTLER
Carbanak
Dragonfly 2.0
FIN6
FIN7
Ke3chang
MuddyWater
PLATINUM
Patchwork
Poseidon Group
Scarlet Mimic
Soft Cell
Sowbug
TEMP.Veles
admin@338
menuPass

Kill Chain Phases

Installation
Actions on Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

Implementing this search is similar to any of the other searches that require EDR data. In order to use it, we need to get process launch events with the file hash information. For the demo and live version of this search we use Microsoft Sysmon with the CommandLine field, but you could adjust that to another data source and match the field names (extract filename, sha1 or change the field names to match that datasource).

   Known False Positives

This search will look for any time an executable file is renamed, which should be rare but could occur during software installations. If you see false positives here, you should be able to filter out the noise by looking the final filename and filter out those instances. Generally, you should not review these alerts directly (except for high sensitivity accounts), but instead use them for context, or to aggregate risk (as mentioned under How To Respond).

   How To Respond

When this search returns values, initiate your incident response process and identify the system(s) with the matching hashes. Determine which system(s) are executing the renamed executables by observing the user, image and parent image values, amongst others. Contact the user and system owner and contact them regarding this action. If it is authorized, document that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted to determine if executables have been loaded onto the system with common names.

   Help

Find Processes with Renamed Executables Help

This example leverages the Simple Search assistant. Our dataset is a collection of Windows process launch logs (Event ID 4688), where we have hashing turned on (look for tools like WLS, or Sysmon to help here). It then looks for the number of filenames per system, per file hash, and surfaces files that have been renamed.

SPL for Find Processes with Renamed Executables

Demo Data

First we pull in our demo dataset. This could be any EDR data source that provides file hash information.
Earlier versions of Sysmon didn't extract a filename by default, so we are adding that in here. We also make it lowercase so that Windows' lack of case sensitivity doesn't mess with our analysis.
Next we use stats to calculate how many different filenames that hash ran as, including the filenames and the full cli strings for contextual data.
Finally, we filter for where the same hash ran as at least two filenames, indicating a rename.

Live Data

First we pull in our basic dataset, which consists of XML format Sysmon logs from the endpoints (ingested via the Sysmon TA). This could be any EDR data source that provides file hash information. Because we're looking for process launches, we then filter for EventCode=1 (the Sysmon Process Launch code).
Earlier versions of Sysmon didn't extract a filename by default, so we are adding that in here. We also make it lowercase so that Windows' lack of case sensitivity doesn't mess with our analysis.
Next we use stats to calculate how many different filenames that hash ran as, including the filenames and the full cli strings for contextual data.
Finally, we filter for where the same hash ran as at least two filenames, indicating a rename.