Suspicious Extexport Execution
Extexport.exe loads dll and is execute from other folder the original path
Sigma rule (View on GitHub)
1title: Suspicious Extexport Execution
2id: fb0b815b-f5f6-4f50-970f-ffe21f253f7a
3status: test
4description: Extexport.exe loads dll and is execute from other folder the original path
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Extexport/
7author: frack113
8date: 2021/11/26
9modified: 2022/05/16
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - CommandLine|contains: Extexport.exe
19 - Image|endswith: '\Extexport.exe'
20 - OriginalFileName: 'extexport.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Created Files by Microsoft Sync Center
- DeviceCredentialDeployment Execution
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina
- Ie4uinit Lolbin Use From Invalid Path