Date: 07/18/2025
Severity: Medium
Summary
Detects the execution of a renamed binary commonly used by attackers or malware, using the new Sysmon OriginalFileName data point for identification.
Indicators of Compromise (IOC) List
Image : | - '\cmd.exe' - '\conhost.exe' - '\7z.exe' - '\7za.exe' - '\WinRAR.exe' - '\wevtutil.exe' - '\net.exe' - '\net1.exe' - '\netsh.exe' - '\InstallUtil.exe' |
OriginalFileName : | - 'Cmd.Exe' - 'CONHOST.EXE' - '7z.exe' - '7za.exe' - 'WinRAR.exe' - 'wevtutil.exe' - 'net.exe' - 'net1.exe' - 'netsh.exe' - 'InstallUtil.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | (resourcename = "Sysmon" AND eventtype = "1" ) AND originalfilename In ("Cmd.Exe","CONHOST.EXE","7z.exe","7za.exe","WinRAR.exe","wevtutil.exe","net.exe","net1.exe","netsh.exe","InstallUtil.exe" ) AND image not In ("cmd.exe","conhost.exe","7z.exe","7za.exe","WinRAR.exe","wevtutil.exe","net.exe","net1.exe","netsh.exe","InstallUtil.exe") |
Detection Query : | (technologygroup = "EDR" ) AND originalfilename In ("Cmd.Exe","CONHOST.EXE","7z.exe","7za.exe","WinRAR.exe","wevtutil.exe","net.exe","net1.exe","netsh.exe","InstallUtil.exe" ) AND image not In ("cmd.exe","conhost.exe","7z.exe","7za.exe","WinRAR.exe","wevtutil.exe","net.exe","net1.exe","netsh.exe","InstallUtil.exe") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml