Potential Adplus.EXE Abuse
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
Sigma rule (View on GitHub)
1title: Potential Adplus.EXE Abuse
2id: 2f869d59-7f6a-4931-992c-cce556ff2d53
3status: test
4description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
7 - https://twitter.com/nas_bench/status/1534916659676422152
8 - https://twitter.com/nas_bench/status/1534915321856917506
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-06-09
11modified: 2023-06-23
12tags:
13 - attack.defense-evasion
14 - attack.execution
15 - attack.t1003.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\adplus.exe'
22 - OriginalFileName: 'Adplus.exe'
23 selection_cli:
24 CommandLine|contains:
25 # Dump process memory
26 - ' -hang '
27 - ' -pn '
28 - ' -pmn '
29 - ' -p '
30 - ' -po '
31 # Using a config file
32 - ' -c '
33 # Execute commands inline
34 - ' -sc '
35 condition: all of selection_*
36falsepositives:
37 - Legitimate usage of Adplus for debugging purposes
38level: high
References
-
adplus.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- HackTool - HandleKatz Duplicating LSASS Handle
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- Add Insecure Download Source To Winget
- Add New Download Source To Winget