LOLBIN Execution From Abnormal Drive
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
Sigma rule (View on GitHub)
1title: LOLBIN Execution From Abnormal Drive
2id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
3related:
4 - id: 5b80cf53-3a46-4adc-960b-05ec19348d74
5 type: similar
6status: test
7description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
8references:
9 - https://thedfirreport.com/2021/12/13/diavol-ransomware/
10 - https://www.scythe.io/library/threat-emulation-qakbot
11 - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
12author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
13date: 2022-01-25
14modified: 2023-08-29
15tags:
16 - attack.defense-evasion
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 # Note: add more lolbins for additional coverage
23 - Image|endswith:
24 - '\calc.exe'
25 - '\certutil.exe'
26 - '\cmstp.exe'
27 - '\cscript.exe'
28 - '\installutil.exe'
29 - '\mshta.exe'
30 - '\regsvr32.exe'
31 - '\rundll32.exe'
32 - '\wscript.exe'
33 - OriginalFileName:
34 - 'CALC.EXE'
35 - 'CertUtil.exe'
36 - 'CMSTP.EXE'
37 - 'cscript.exe'
38 - 'installutil.exe'
39 - 'MSHTA.EXE'
40 - 'REGSVR32.EXE'
41 - 'RUNDLL32.EXE'
42 - 'wscript.exe'
43 filter_main_currentdirectory:
44 CurrentDirectory|contains: 'C:\'
45 filter_main_empty:
46 CurrentDirectory: ''
47 filter_main_null:
48 CurrentDirectory: null
49 condition: selection and not 1 of filter_main_*
50falsepositives:
51 - Rare false positives could occur on servers with multiple drives.
52level: medium
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity