Sideloading Link.EXE

calendar Oct 17, 2023 · attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name

Sigma rule (View on GitHub)

 1title: Sideloading Link.EXE
 2id: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6
 3status: test
 4description: Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name
 5references:
 6    - https://twitter.com/0gtweet/status/1560732860935729152
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/22
 9tags:
10    - attack.defense_evasion
11    - attack.t1218
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\link.exe'
18        CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc
19    # Add other filters for other legitimate locations
20    filter_visual_studio:
21        ParentImage|startswith:
22            - 'C:\Program Files\Microsoft Visual Studio\'
23            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
24        ParentImage|contains: '\VC\Tools\MSVC\'
25    condition: selection and not 1 of filter_*
26falsepositives:
27    - Unknown
28level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top