Here is a single line Windows batch command which renames and patches a binary in order to avoid detection.
Many detections that look for malicious or uncommon usage of built-in Windows tools/utilities (i.e. attackers living-of-the-land) depend on well-known file/process names (ex. powershell.exe). But, if defenders are also monitoring for the well known checksums of those utilities for detection, simply renaming the file (powershell.exe -> llehsrewop.exe) will not avoid detection.
Here’s an example showing how to copy, patch (unique checksum), and rename powershell.exe, then call a Hello World powershell command all in one line.
copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe %temp%\powershell.exe & echo 0 >> %temp%\powershell.exe & move %temp%\powershell.exe %temp%\llehsrewop.exe & start /b %temp%\llehsrewop.exe /NoP /NonI /w Hidden /enc VwByAGkAdABlAC0ASABvAHMAdAAgACIASABlAGwAbABvACAAVwBvAHIAbABkACIA
That’s it, nothing fancy. But, it is enough to defeat both name and checksum-based detections!
If your detections rely on well known names of files/processes to alert, you need to cover the scenarios when a well known utility is NOT named as expected: