Use of Remote.exe
Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
Sigma rule (View on GitHub)
1title: Use of Remote.exe
2id: 4eddc365-79b4-43ff-a9d7-99422dc34b93
3status: test
4description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
5references:
6 - https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
7 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/
8author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
9date: 2022/06/02
10tags:
11 - attack.defense_evasion
12 - attack.t1127
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\remote.exe'
19 - OriginalFileName: 'remote.exe'
20 condition: selection
21falsepositives:
22 - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg).
23level: medium
References
-
Spawns powershell as a child process of remote.exe Remote.exe /s "powershell.exe" anythinghere Use caseExecutes a process under a trusted Microsoft signed binary Privileges requiredUser Operating s...
Read More
Related rules
- Ilasm Lolbin Use Compile C-Sharp
- JSC Convert Javascript To Executable
- Kavremover Dropped Binary LOLBIN Usage
- Node Process Executions
- Remote Thread Creation Ttdinject.exe Proxy