OpenWith.exe Executes Specified Binary
The OpenWith.exe executes other binary
Sigma rule (View on GitHub)
1title: OpenWith.exe Executes Specified Binary
2id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
3status: test
4description: The OpenWith.exe executes other binary
5references:
6 - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml
7 - https://twitter.com/harr0ey/status/991670870384021504
8author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
9date: 2019-10-12
10modified: 2021-11-27
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\OpenWith.exe'
20 CommandLine|contains: '/c'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE