Rename System Utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.

Example

This technique is very simple, will grab legitimate system utilities and just rename them, sometimes the logging or IDS are looking for specific strings that will prevent execution, but what if instead of calling runddl32 we call "dllexecute" this would be rundll32 but just renamed. The execution and functionality will still be the same but it would bypass defenses since the string is no longer rundll32.

Two different syntax but same results. Since rundll32 has just been renamed but its functionality hasn't been changed.

Sometimes renaming utilities is enough to bypass security, in a previous research, it seems that renaming your payload to MSBuild was enough to prevent Defender to scan your payload.

PreviousRight-to-Left-Override NextMasquerade Task or Service

Last updated 3 years ago