Use of OpenConsole
Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
Sigma rule (View on GitHub)
1title: Use of OpenConsole
2id: 814c95cc-8192-4378-a70a-f1aafd877af1
3status: test
4description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
5references:
6 - https://twitter.com/nas_bench/status/1537563834478645252
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/16
9tags:
10 - attack.execution
11 - attack.t1059
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - OriginalFileName: 'OpenConsole.exe'
18 - Image|endswith: '\OpenConsole.exe'
19 filter:
20 Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.WindowsTerminal' # We exclude the default path for WindowsTerminal
21 condition: selection and not filter
22falsepositives:
23 - Legitimate use by an administrator
24level: medium
References
Related rules
- Atlassian Confluence CVE-2022-26134
- Azure New CloudShell Created
- BPFDoor Abnormal Process ID or Lock File Accessed
- Parent in Public Folder Suspicious Process
- Payload Decoded and Decrypted via Built-in Utilities