Detection rules › Kusto
Masquerading Renamed executables of interest
This query searches for the original file name of a set of binaries that is known to be used by attackers. The OriginalFileName field is then matched to the actual file name. Where there isn't a match the results are returned, indicating the file has been renamed. The original file name field is derived from the PE header of the executable, which is the name of the binary during compilation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1036.003 Masquerading: Rename Legitimate Utilities |
References
Event coverage
| Provider | Event/ActionType | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | ProcessCreated | Process created |
Rule body kusto
let timeframe = 2*1h;
let lolbins = dynamic(["at.exe", "atbroker.exe", "bash.exe", "bitsadmin.exe", "certreq.exe", "certutil.exe", "cmd.exe", "cmdkey.exe", "cmstp.exe", "control.exe", "csc.exe", "cscript.exe", "desktopimgdownldr.exe", "dfsvc.exe", "diantz.exe", "diskshadow.exe", "dnscmd.exe", "esentutl.exe", "eventvwr.exe", "expand.exe", "extexport.exe", "extrac32.exe", "findstr.exe", "forfiles.exe", "ftp.exe", "gfxdownloadwrapper.exe", "gpscript.exe", "hh.exe", "ie4uinit.exe", "ieexec.exe", "ilasm.exe", "infdefaultinstall.exe", "installutil.exe", "jsc.exe", "makecab.exe", "mavinject.exe", "microsoft.workflow.compiler.exe", "mmc.exe", "mpcmdrun.exe", "msbuild.exe", "msconfig.exe", "msdt.exe", "mshta.exe", "msiexec.exe", "netsh.exe", "odbcconf.exe", "pcalua.exe", "pcwrun.exe", "pktmon.exe", "presentationhost.exe", "print.exe", "psr.exe", "rasautou.exe", "reg.exe", "regasm.exe", "regedit.exe", "regini.exe", "register-cimprovider.exe", "regsvcs.exe", "regsvr32.exe", "replace.exe", "rpcping.exe", "rundll32.exe", "runonce.exe", "runscripthelper.exe", "sc.exe", "schtasks.exe", "scriptrunner.exe", "syncappvpublishingserver.exe", "ttdinject.exe", "tttracer.exe", "vbc.exe", "verclsid.exe", "wab.exe", "wmic.exe", "wscript.exe", "wsreset.exe", "xwizard.exe", "agentexecutor.exe", "appvlp.exe", "bginfo.exe", "cdb.exe", "csi.exe", "devtoolslauncher.exe", "dnx.exe", "dotnet.exe", "dxcap.exe", "excel.exe", "mftrace.exe", "msdeploy.exe", "msxsl.exe", "ntdsutil.exe", "powerpnt.exe", "rcsi.exe", "sqldumper.exe", "sqlps.exe", "sqltoolsps.exe", "squirrel.exe", "te.exe", "tracker.exe", "vsjitdebugger.exe", "winword.exe", "wsl.exe", "powershell.exe", "pwsh.exe"]);
let binaries_of_interest = dynamic(["net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "tasklist.exe", "quser.exe", "tracert.exe", "route.exe", "runas.exe", "klist.exe", "wevtutil.exe", "wmiprvse.exe", "powershell.exe", "bash.exe", "qwinsta.exe", "rwinsta.exe", "replace.exe", "findstr.exe", "icacls.exe", "cacls.exe", "xcopy.exe", "robocopy.exe", "takeown.exe", "vssadmin.exe", "nltest.exe", "nltestk.exe", "sctasks.exe", "nbtstat.exe", "nbtinfo.exe", "mofcomp.exe", "nltestrk.exe", "dnscmd.exe", "registercimprovider.exe", "registercimprovider2.exe", "procdump", "ru.exe", "pspasswd.exe", "psexec.c", "psexec.exe", "pslist.exe", "regsize", "pskill.exe", "pkill.exe", "wsmprovhost.exe", "fltmc.exe", "sdbinst.exe"]);
// Merge both lists into one reference list.
let original_file_name_set=array_concat(lolbins,binaries_of_interest);
DeviceProcessEvents
| where ingestion_time() >= ago(timeframe)
| where ActionType =~ "ProcessCreated"
| extend process_name=tolower(FileName)
| extend original_file_name=tolower(ProcessVersionInfoOriginalFileName)
| where original_file_name in~ (original_file_name_set)
| where original_file_name != ""
// Filter some known mismatches between PE header FileName and the binary FileName.
| where not(process_name=~"schtasks.exe" and original_file_name=~"schtasks.exe" and (FolderPath=~@"C:\Windows\System32\schtasks.exe" or FolderPath=~@"C:\Windows\SysWOW64\schtasks.exe"))
| where not(process_name=~"nbtstat.exe" and original_file_name=~"nbtinfo.exe" and FolderPath=~@"C:\Windows\System32\nbtstat.exe")
| where not(process_name=~"bginfo64.exe" and original_file_name=~"bginfo.exe" and (FolderPath=~@"C:\Windows\System32\Bginfo64.exe" or FolderPath =~@"C:\Program Files\SysInternals BGInfo\Bginfo64.exe"))
// Filter MS Excel file format converter.
| where not(process_name=~"excelcnv.exe" and original_file_name=~"excel.exe" and (FolderPath startswith @"C:\Program Files\Microsoft Office Web Apps\ExcelServicesEcs\" or FolderPath startswith @"C:\Program Files\Microsoft Office\" or FolderPath startswith @"C:\Program Files (x86)\Microsoft Office\"))
// Optionally filter this (when psexec is actually common in your environment).
| where not(process_name=~"psexec.exe" and original_file_name=~"psexec.c")
| where not(process_name=~"psexec64.exe" and original_file_name=~"psexec.c")
| where process_name != original_file_name
| project Timestamp,DeviceName,DeviceId,AccountName,process_name, original_file_name, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ReportId, InitiatingProcessAccountUpn
// Begin environment-specific filter.
// End environment-specific filter.
Stages and Predicates
Parameters
let timeframe = 2*1h;
let original_file_name_set = array_concat(lolbins,binaries_of_interest);
Let binding: lolbins
let lolbins = dynamic(["at.exe", "atbroker.exe", "bash.exe", "bitsadmin.exe", "certreq.exe", "certutil.exe", "cmd.exe", "cmdkey.exe", "cmstp.exe", "control.exe", "csc.exe", "cscript.exe", "desktopimgdownldr.exe", "dfsvc.exe", "diantz.exe", "diskshadow.exe", "dnscmd.exe", "esentutl.exe", "eventvwr.exe", "expand.exe", "extexport.exe", "extrac32.exe", "findstr.exe", "forfiles.exe", "ftp.exe", "gfxdownloadwrapper.exe", "gpscript.exe", "hh.exe", "ie4uinit.exe", "ieexec.exe", "ilasm.exe", "infdefaultinstall.exe", "installutil.exe", "jsc.exe", "makecab.exe", "mavinject.exe", "microsoft.workflow.compiler.exe", "mmc.exe", "mpcmdrun.exe", "msbuild.exe", "msconfig.exe", "msdt.exe", "mshta.exe", "msiexec.exe", "netsh.exe", "odbcconf.exe", "pcalua.exe", "pcwrun.exe", "pktmon.exe", "presentationhost.exe", "print.exe", "psr.exe", "rasautou.exe", "reg.exe", "regasm.exe", "regedit.exe", "regini.exe", "register-cimprovider.exe", "regsvcs.exe", "regsvr32.exe", "replace.exe", "rpcping.exe", "rundll32.exe", "runonce.exe", "runscripthelper.exe", "sc.exe", "schtasks.exe", "scriptrunner.exe", "syncappvpublishingserver.exe", "ttdinject.exe", "tttracer.exe", "vbc.exe", "verclsid.exe", "wab.exe", "wmic.exe", "wscript.exe", "wsreset.exe", "xwizard.exe", "agentexecutor.exe", "appvlp.exe", "bginfo.exe", "cdb.exe", "csi.exe", "devtoolslauncher.exe", "dnx.exe", "dotnet.exe", "dxcap.exe", "excel.exe", "mftrace.exe", "msdeploy.exe", "msxsl.exe", "ntdsutil.exe", "powerpnt.exe", "rcsi.exe", "sqldumper.exe", "sqlps.exe", "sqltoolsps.exe", "squirrel.exe", "te.exe", "tracker.exe", "vsjitdebugger.exe", "winword.exe", "wsl.exe", "powershell.exe", "pwsh.exe"]);
Let binding: binaries_of_interest
let binaries_of_interest = dynamic(["net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "tasklist.exe", "quser.exe", "tracert.exe", "route.exe", "runas.exe", "klist.exe", "wevtutil.exe", "wmiprvse.exe", "powershell.exe", "bash.exe", "qwinsta.exe", "rwinsta.exe", "replace.exe", "findstr.exe", "icacls.exe", "cacls.exe", "xcopy.exe", "robocopy.exe", "takeown.exe", "vssadmin.exe", "nltest.exe", "nltestk.exe", "sctasks.exe", "nbtstat.exe", "nbtinfo.exe", "mofcomp.exe", "nltestrk.exe", "dnscmd.exe", "registercimprovider.exe", "registercimprovider2.exe", "procdump", "ru.exe", "pspasswd.exe", "psexec.c", "psexec.exe", "pslist.exe", "regsize", "pskill.exe", "pkill.exe", "wsmprovhost.exe", "fltmc.exe", "sdbinst.exe"]);
Stage 1: source
DeviceProcessEvents
Stage 2: where
| where ingestion_time() >= ago(timeframe)
Stage 3: where
| where ActionType =~ "ProcessCreated"
Stage 4: extend
| extend process_name=tolower(FileName)
Stage 5: extend
| extend original_file_name=tolower(ProcessVersionInfoOriginalFileName)
Stage 6: where
| where original_file_name in~ (original_file_name_set)
Stage 7: where
| where original_file_name != ""
Stage 8: where
| where not(process_name=~"schtasks.exe" and original_file_name=~"schtasks.exe" and (FolderPath=~@"C:\Windows\System32\schtasks.exe" or FolderPath=~@"C:\Windows\SysWOW64\schtasks.exe"))
Stage 9: where
| where not(process_name=~"nbtstat.exe" and original_file_name=~"nbtinfo.exe" and FolderPath=~@"C:\Windows\System32\nbtstat.exe")
Stage 10: where
| where not(process_name=~"bginfo64.exe" and original_file_name=~"bginfo.exe" and (FolderPath=~@"C:\Windows\System32\Bginfo64.exe" or FolderPath =~@"C:\Program Files\SysInternals BGInfo\Bginfo64.exe"))
Stage 11: where
| where not(process_name=~"excelcnv.exe" and original_file_name=~"excel.exe" and (FolderPath startswith @"C:\Program Files\Microsoft Office Web Apps\ExcelServicesEcs\" or FolderPath startswith @"C:\Program Files\Microsoft Office\" or FolderPath startswith @"C:\Program Files (x86)\Microsoft Office\"))
Stage 12: where
| where not(process_name=~"psexec.exe" and original_file_name=~"psexec.c")
Stage 13: where
| where not(process_name=~"psexec64.exe" and original_file_name=~"psexec.c")
Stage 14: where
| where process_name != original_file_name
Stage 15: project
| project Timestamp,DeviceName,DeviceId,AccountName,process_name, original_file_name, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ReportId, InitiatingProcessAccountUpn
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
FolderPath | eq | C:\Windows\SysWOW64\schtasks.exe |
FolderPath | eq | C:\Windows\System32\schtasks.exe |
original_file_name | eq | schtasks.exe |
process_name | eq | schtasks.exe |
FolderPath | eq | C:\Windows\System32\nbtstat.exe |
original_file_name | eq | nbtinfo.exe |
process_name | eq | nbtstat.exe |
FolderPath | eq | C:\Program Files\SysInternals BGInfo\Bginfo64.exe |
FolderPath | eq | C:\Windows\System32\Bginfo64.exe |
original_file_name | eq | bginfo.exe |
process_name | eq | bginfo64.exe |
FolderPath | starts_with | C:\Program Files (x86)\Microsoft Office\ |
FolderPath | starts_with | C:\Program Files\Microsoft Office Web Apps\ExcelServicesEcs\ |
FolderPath | starts_with | C:\Program Files\Microsoft Office\ |
original_file_name | eq | excel.exe |
process_name | eq | excelcnv.exe |
original_file_name | eq | psexec.c |
process_name | eq | psexec.exe |
original_file_name | eq | psexec.c |
process_name | eq | psexec64.exe |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
original_file_name | in |
|
process_name | ne |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AccountName | project |
DeviceId | project |
DeviceName | project |
FolderPath | project |
InitiatingProcessAccountUpn | project |
InitiatingProcessCommandLine | project |
InitiatingProcessFileName | project |
InitiatingProcessParentFileName | project |
InitiatingProcessVersionInfoOriginalFileName | project |
ProcessCommandLine | project |
ReportId | project |
Timestamp | project |
original_file_name | project |
process_name | project |