1. Home
  2. Detection Strategies
  3. Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path

Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path

Technique Detected:  Rename Legitimate Utilities | T1036.003

ID: DET0005
Domains: Enterprise
Analytics: AN0012, AN0013, AN0014
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0012

Execution of binaries where the on-disk filename does not match PE metadata such as OriginalFilename or InternalName. Often observed with renamed LOLBAS or system binaries like rundll32, powershell, or psexec.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Command Execution (DC0064) EDR:AMSI None
Mutable Elements
Field Description
ImagePath Filter by suspicious or non-standard directory paths
PEInternalNameMismatch Enable tuning based on mismatch rules between metadata and disk filename
CommandLinePattern Flag unusual or rare argument combinations for LOLBAS-like tools

AN0013

Execution of renamed or relocated native macOS utilities with uncommon names or non-default paths (e.g., renamed osascript, bash, or curl).

Log Sources
Data Component Name Channel
Process Metadata (DC0034) macos:unifiedlog subsystem=com.apple.process
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
File Modification (DC0061) fs:fileevents /var/log/quarantine.log
Mutable Elements
Field Description
PathDeviation Path deviation from expected directory (e.g., /usr/bin/ vs /tmp/)
BinaryHashReputation Enable tuning based on hash matching known signed versions vs suspicious clones
UserRole Scope detections based on non-admin users using admin-level tools

AN0014

Execution of renamed common utilities (e.g., bash, nc, python, sh) from atypical directories or with names intended to deceive defenders or EDRs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Metadata (DC0059) linux:osquery event-based
Command Execution (DC0064) linux:syslog /var/log/syslog or journalctl
Mutable Elements
Field Description
ExecutionPath Path anomalies such as execution from /dev/shm, /tmp, or user home directories
ParentProcessContext Unusual lineage such as scripts invoking renamed tools
TimeWindow Correlate between file rename and immediate execution