Sideloading Link.EXE
Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name
Sigma rule (View on GitHub)
1title: Sideloading Link.EXE
2id: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6
3status: test
4description: Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name
5references:
6 - https://twitter.com/0gtweet/status/1560732860935729152
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/22
9tags:
10 - attack.defense_evasion
11 - attack.t1218
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\link.exe'
18 CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc
19 # Add other filters for other legitimate locations
20 filter_visual_studio:
21 ParentImage|startswith:
22 - 'C:\Program Files\Microsoft Visual Studio\'
23 - 'C:\Program Files (x86)\Microsoft Visual Studio\'
24 ParentImage|contains: '\VC\Tools\MSVC\'
25 condition: selection and not 1 of filter_*
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- Created Files by Microsoft Sync Center
- DeviceCredentialDeployment Execution
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina
- Ie4uinit Lolbin Use From Invalid Path