Potential Adplus.EXE Abuse

calendar Apr 16, 2025 · attack.defense-evasion attack.execution attack.credential-access attack.t1003.001  ·
Share on: linkedin copy

Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.

Sigma rule (View on GitHub)

 1title: Potential Adplus.EXE Abuse
 2id: 2f869d59-7f6a-4931-992c-cce556ff2d53
 3status: test
 4description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
 7    - https://twitter.com/nas_bench/status/1534916659676422152
 8    - https://twitter.com/nas_bench/status/1534915321856917506
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-06-09
11modified: 2023-06-23
12tags:
13    - attack.defense-evasion
14    - attack.execution
15    - attack.credential-access
16    - attack.t1003.001
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\adplus.exe'
23        - OriginalFileName: 'Adplus.exe'
24    selection_cli:
25        CommandLine|contains:
26            # Dump process memory
27            - ' -hang '
28            - ' -pn '
29            - ' -pmn '
30            - ' -p '
31            - ' -po '
32            # Using a config file
33            - ' -c '
34            # Execute commands inline
35            - ' -sc '
36    condition: all of selection_*
37falsepositives:
38    - Legitimate usage of Adplus for debugging purposes
39level: high

References

  • Adplus on LOLBAS

    adplus.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top