| Item |
Value |
| ID |
DET0005 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1036.003 (Rename Legitimate Utilities)
Analytics
Windows
AN0012
Execution of binaries where the on-disk filename does not match PE metadata such as OriginalFilename or InternalName. Often observed with renamed LOLBAS or system binaries like rundll32, powershell, or psexec.
Log Sources
Mutable Elements
| Field |
Description |
| ImagePath |
Filter by suspicious or non-standard directory paths |
| PEInternalNameMismatch |
Enable tuning based on mismatch rules between metadata and disk filename |
| CommandLinePattern |
Flag unusual or rare argument combinations for LOLBAS-like tools |
macOS
AN0013
Execution of renamed or relocated native macOS utilities with uncommon names or non-default paths (e.g., renamed osascript, bash, or curl).
Log Sources
Mutable Elements
| Field |
Description |
| PathDeviation |
Path deviation from expected directory (e.g., /usr/bin/ vs /tmp/) |
| BinaryHashReputation |
Enable tuning based on hash matching known signed versions vs suspicious clones |
| UserRole |
Scope detections based on non-admin users using admin-level tools |
Linux
AN0014
Execution of renamed common utilities (e.g., bash, nc, python, sh) from atypical directories or with names intended to deceive defenders or EDRs.
Log Sources
Mutable Elements
| Field |
Description |
| ExecutionPath |
Path anomalies such as execution from /dev/shm, /tmp, or user home directories |
| ParentProcessContext |
Unusual lineage such as scripts invoking renamed tools |
| TimeWindow |
Correlate between file rename and immediate execution |