Skip to content

Hide Navigation Hide TOC

Potential Binary Impersonating Sysinternals Tools (7cce6fc8-a07f-4d84-a53e-96e1879843c9)

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Binary Impersonating Sysinternals Tools (7cce6fc8-a07f-4d84-a53e-96e1879843c9) Sigma-Rules Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Potential Binary Impersonating Sysinternals Tools (7cce6fc8-a07f-4d84-a53e-96e1879843c9) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Potential Binary Impersonating Sysinternals Tools (7cce6fc8-a07f-4d84-a53e-96e1879843c9) Sigma-Rules Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2