← Back to SOC feed Coverage →

PUA - Potential PE Metadata Tamper Using Rcedit

sigma MEDIUM SigmaHQ
T1036.003T1036T1027.005T1027
imProcessCreate
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Detection Rule

Sigma (Original)

title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
    - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
    - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
    - https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
    - attack.stealth
    - attack.t1036.003
    - attack.t1036
    - attack.t1027.005
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\rcedit-x64.exe'
              - '\rcedit-x86.exe'
        - Description: 'Edit resources of exe'
        - Product: 'rcedit'
    selection_flags:
        CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
    selection_attributes:
        CommandLine|contains:
            - 'OriginalFileName'
            - 'CompanyName'
            - 'FileDescription'
            - 'ProductName'
            - 'ProductVersion'
            - 'LegalCopyright'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessName endswith "\\rcedit-x64.exe" or TargetProcessName endswith "\\rcedit-x86.exe") or TargetProcessFileDescription =~ "Edit resources of exe" or TargetProcessFileProduct =~ "rcedit") and TargetProcessCommandLine contains "--set-" and (TargetProcessCommandLine contains "OriginalFileName" or TargetProcessCommandLine contains "CompanyName" or TargetProcessCommandLine contains "FileDescription" or TargetProcessCommandLine contains "ProductName" or TargetProcessCommandLine contains "ProductVersion" or TargetProcessCommandLine contains "LegalCopyright")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml