PrintBrm ZIP Creation of Extraction

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

Sigma rule (View on GitHub)

 1title: PrintBrm ZIP Creation of Extraction
 2id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
 3status: test
 4description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
 7author: frack113
 8date: 2022-05-02
 9tags:
10    - attack.command-and-control
11    - attack.t1105
12    - attack.defense-evasion
13    - attack.t1564.004
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection:
19        Image|endswith: '\PrintBrm.exe'
20        CommandLine|contains|all:
21            - ' -f'
22            - '.zip'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top