LOLBIN Execution From Abnormal Drive

 1title: LOLBIN Execution From Abnormal Drive
 2id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
 3related:
 4    - id: 5b80cf53-3a46-4adc-960b-05ec19348d74
 5      type: similar
 6status: test
 7description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
 8references:
 9    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
10    - https://www.scythe.io/library/threat-emulation-qakbot
11    - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
12author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
13date: 2022/01/25
14modified: 2023/08/29
15tags:
16    - attack.defense_evasion
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        # Note: add more lolbins for additional coverage
23        - Image|endswith:
24              - '\calc.exe'
25              - '\certutil.exe'
26              - '\cmstp.exe'
27              - '\cscript.exe'
28              - '\installutil.exe'
29              - '\mshta.exe'
30              - '\regsvr32.exe'
31              - '\rundll32.exe'
32              - '\wscript.exe'
33        - OriginalFileName:
34              - 'CALC.EXE'
35              - 'CertUtil.exe'
36              - 'CMSTP.EXE'
37              - 'cscript.exe'
38              - 'installutil.exe'
39              - 'MSHTA.EXE'
40              - 'REGSVR32.EXE'
41              - 'RUNDLL32.EXE'
42              - 'wscript.exe'
43    filter_main_currentdirectory:
44        CurrentDirectory|contains: 'C:\'
45    filter_main_empty:
46        CurrentDirectory: ''
47    filter_main_null:
48        CurrentDirectory: null
49    condition: selection and not 1 of filter_main_*
50falsepositives:
51    - Rare false positives could occur on servers with multiple drives.
52level: medium

References

• Diavol Ransomware

  

  In this report, we observed threat actors deploy multiple Cobalt Strike DLL beacons, perform internal discovery using Windows utilities, execute lateral movement using AnyDesk and RDP, dump credentials multiple ways, exfiltrate data and deploy domain wide ransomware in as little as 42 hours from initial access.

  
  Read More

• SCYTHE Library: Threat Emulation: Qakbot

  

  Welcome to the July 2022 SCYTHE #ThreatThursday! This edition features an emulation of Qakbot, a piece of malware that is no stranger to the threat intel community.

  
  Read More

• BumbleBee hunting with a Velociraptor

  

  BumbleBee, a malware which is mainly abused by threat actors in data exfiltration and ransomware incidents, was recently analyzed by Angelo Violetti of SEC Defence - the SEC Consult Digital Forensics and Incident Response team.

  
  Read More

Related rules

• Binary Padding - MacOS
• CobaltStrike Load by Rundll32
• ConvertTo-SecureString Cmdlet Usage Via CommandLine
• Disable Windows Defender AV Security Monitoring
• Disable of ETW Trace