Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Service Creation (DC0060) | WinEventLog:Security | EventCode=7045 |
| Field | Description |
|---|---|
| OriginalFilenameMismatch | Compare executable file name with PE metadata OriginalFilename field |
| KnownSystemUtilityPaths | Tune based on expected installation directories for signed binaries |
| TimeWindow | Correlation window between file creation and service/process execution |
Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Modification (DC0061) | linux:syslog | rename |
| File Metadata (DC0059) | linux:osquery | file_events |
| Field | Description |
|---|---|
| DropLocationPattern | Directories where new binaries are suspicious (e.g., /tmp) |
| FilenameAnomalies | Regex for Unicode/RLO/space abuse in filenames |
| ExecutionDelayWindow | Time range between file write and execution used for joining |
Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.
| Data Component | Name | Channel |
|---|---|---|
| Process Metadata (DC0034) | macos:unifiedlog | process |
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC |
| File Metadata (DC0059) | fs:fileevents | /var/log/install.log |
| Field | Description |
|---|---|
| InfoPlistDiscrepancy | Mismatch between bundle metadata and file system path/name |
| LaunchAgentPath | Unusual LaunchDaemon/LaunchAgent paths can be tuned per org |
| ExecutionTrigger | Window between install and first execution (e.g., at user login) |
Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | containerd:runtime | /var/log/containers/*.log |
| Image Metadata (DC0028) | docker:events | docker.events.json |
| File Modification (DC0061) | ebpf:syscalls | file_write |
| Field | Description |
|---|---|
| ImageLabelMismatch | Tune detection based on mismatch between image name and labels |
| StartupScriptLocation | Detect binaries added or modified in startup path (e.g., /entrypoint.sh) |
| ProcessNamePattern | Allow tuning based on suspicious binary naming inside containers |
Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.
| Data Component | Name | Channel |
|---|---|---|
| Service Metadata (DC0041) | esxi:hostd | registers services with legitimate-sounding names |
| Command Execution (DC0064) | esxi:shell | scripts or binaries with misleading names |
| Field | Description |
|---|---|
| ServiceNameBaseline | Tune based on default service names vs. suspicious new entries |
| ScriptFilePath | Watch for new binaries/scripts in boot or cron folders |
| ExecutionContext | Determine if execution happens at boot or scheduled interval |