Lolbin Defaultpack.exe Use As Proxy
Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs
Sigma rule (View on GitHub)
1title: Lolbin Defaultpack.exe Use As Proxy
2id: b2309017-4235-44fe-b5af-b15363011957
3status: test
4description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/
7 - https://www.echotrail.io/insights/search/defaultpack.exe
8author: frack113
9date: 2022/12/31
10tags:
11 - attack.t1218
12 - attack.defense_evasion
13 - attack.execution
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\defaultpack.exe'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
-
.. /DefaultPack.EXE Star Execute This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set...
Read More
Related rules
- Potentially Suspicious Child Process Of VsCode
- Potential Compromised 3CXDesktopApp Execution
- Suspicious Child Process Of BgInfo.EXE
- Suspicious Csi.exe Usage
- Windows Shell/Scripting Processes Spawning Suspicious Programs