Potential Adplus.EXE Abuse
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
Sigma rule (View on GitHub)
1title: Potential Adplus.EXE Abuse
2id: 2f869d59-7f6a-4931-992c-cce556ff2d53
3status: test
4description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
7 - https://twitter.com/nas_bench/status/1534916659676422152
8 - https://twitter.com/nas_bench/status/1534915321856917506
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/06/09
11modified: 2023/06/23
12tags:
13 - attack.defense_evasion
14 - attack.execution
15 - attack.t1003.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\adplus.exe'
22 - OriginalFileName: 'Adplus.exe'
23 selection_cli:
24 CommandLine|contains:
25 # Dump process memory
26 - ' -hang '
27 - ' -pn '
28 - ' -pmn '
29 - ' -p '
30 - ' -po '
31 # Using a config file
32 - ' -c '
33 # Execute commands inline
34 - ' -sc '
35 condition: all of selection_*
36falsepositives:
37 - Legitimate usage of Adplus for debugging purposes
38level: high
References
-
Execute arbitrary commands and binaries from the context of adplus. Note that providing an output directory via '-o' is required. adplus.exe -crash -o "C:\temp\" -sc calc.exe Use caseRun commands u...
Read More -
-
Related rules
- HackTool - HandleKatz Duplicating LSASS Handle
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Potential ShellDispatch.DLL Functionality Abuse
- Potentially Suspicious Child Process Of ClickOnce Application
- UNC4841 - Barracuda ESG Exploitation Indicators