Add netsh to renamed binary rule

jiluhu · Apr 20, 2020 · 7d437c2 · 7d437c2
1 parent 514bd86
commit 7d437c2
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml
@@ -2,7 +2,7 @@ title: Renamed Binary
 id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
 status: experimental
 description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
-author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)
+author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
 date: 2019/06/15
 modified: 2019/11/11
 references:
@@ -37,6 +37,7 @@ detection:
             - 'wevtutil.exe'
             - 'net.exe'
             - 'net1.exe'
+            - 'netsh.exe'
     filter:
         Image|endswith:
             - '\cmd.exe'
@@ -58,6 +59,7 @@ detection:
             - '\wevtutil.exe'
             - '\net.exe'
             - '\net1.exe'
+            - '\netsh.exe'
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist