T1036.003: Rename System Utilities

Data from MITRE ATT&CK®:

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

File Modification (File)

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

File Metadata (File)

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Process Metadata (Process)

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

Masquerading - cscript.exe running as notepad.exe

windows

Masquerading - powershell.exe running as taskhostw.exe

windows

Masquerading as FreeBSD or Linux crond process.

linux

Masquerading - windows exe running as different windows exe

windows

Masquerading - non-windows exe running as windows exe

windows

Malicious process Masquerading as LSM.exe

windows

Masquerading as Windows LSASS process

windows

Masquerading - wscript.exe running as svchost.exe

windows

File Extension Masquerading

windows

File With Suspicious Extension Downloaded Via Bitsadmin

windows process creation

Potential Homoglyph Attack Using Lookalike Characters

windows process creation

LOL-Binary Copied From System Directory

windows process creation

Suspicious Copy From or To System Directory

windows process creation

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

windows process creation

PUA - Potential PE Metadata Tamper Using Rcedit

windows process creation

Suspicious Start-Process PassThru

windows ps script

File Download Via Bitsadmin To An Uncommon Target Folder

windows process creation

Suspicious Download From Direct IP Via Bitsadmin

windows process creation

Renamed Jusched.EXE Execution

windows process creation

File Download Via Bitsadmin To A Suspicious Target Folder

windows process creation

Potential Homoglyph Attack Using Lookalike Characters in Filename

windows file event

Potential Defense Evasion Via Binary Rename

windows process creation

Renamed ProcDump Execution

windows process creation

Potential WerFault ReflectDebugger Registry Value Abuse

windows registry set

Renamed BrowserCore.EXE Execution

windows process creation

File Download Via Bitsadmin

windows process creation

Renamed Msdt.EXE Execution

windows process creation

Potential PendingFileRenameOperations Tamper

windows registry set

Windows Processes Suspicious Parent Directory

windows process creation

Masquerading as Linux Crond Process

linux

Suspicious Download From File-Sharing Website Via Bitsadmin

windows process creation