PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Sigma rule (View on GitHub)
1title: PrintBrm ZIP Creation of Extraction
2id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
3status: test
4description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
7author: frack113
8date: 2022-05-02
9tags:
10 - attack.command-and-control
11 - attack.t1105
12 - attack.defense-evasion
13 - attack.t1564.004
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 Image|endswith: '\PrintBrm.exe'
20 CommandLine|contains|all:
21 - ' -f'
22 - '.zip'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
PrintBrm.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Curl Download And Execute Combination
- Download from Suspicious Dyndns Hosts
- File Download Via Nscurl - MacOS
- File Download Via Windows Defender MpCmpRun.EXE
- Greenbug Espionage Group Indicators