PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Sigma rule (View on GitHub)
1title: PrintBrm ZIP Creation of Extraction
2id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
3status: test
4description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
7author: frack113
8date: 2022/05/02
9tags:
10 - attack.command_and_control
11 - attack.t1105
12 - attack.defense_evasion
13 - attack.t1564.004
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 Image|endswith: '\PrintBrm.exe'
20 CommandLine|contains|all:
21 - ' -f'
22 - '.zip'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Password Protected ZIP File Opened (Suspicious Filenames)
- Greenbug Espionage Group Indicators
- Download from Suspicious Dyndns Hosts
- MsiExec Web Install
- Suspicious Registry Key Added: LanmanServer Parameters