Suspicious Sigverif Execution

calendar Oct 17, 2023 · attack.defense_evasion attack.t1216  ·
Share on: linkedin copy

Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution

Sigma rule (View on GitHub)

 1title: Suspicious Sigverif Execution
 2id: 7d4aaec2-08ed-4430-8b96-28420e030e04
 3status: test
 4description: Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution
 5references:
 6    - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
 7    - https://twitter.com/0gtweet/status/1457676633809330184
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/08/19
10tags:
11    - attack.defense_evasion
12    - attack.t1216
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith: '\sigverif.exe'
19    condition: selection
20falsepositives:
21    - Unknown
22level: medium

References

  • I shot the sigverif.exe – the GUI-based LOLBin

    File Signature Verification has nothing to do with launching arbitrary applications, but it is just a similar case to odbcad32.exe – the GUI apps can sometimes be abused to produce undesired effect...


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top