LOLBIN Execution From Abnormal Drive

Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.

Sigma rule (View on GitHub)

 1title: LOLBIN Execution From Abnormal Drive
 2id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
 3related:
 4    - id: 5b80cf53-3a46-4adc-960b-05ec19348d74
 5      type: similar
 6status: test
 7description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
 8references:
 9    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
10    - https://www.scythe.io/library/threat-emulation-qakbot
11    - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
12author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
13date: 2022-01-25
14modified: 2023-08-29
15tags:
16    - attack.defense-evasion
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        # Note: add more lolbins for additional coverage
23        - Image|endswith:
24              - '\calc.exe'
25              - '\certutil.exe'
26              - '\cmstp.exe'
27              - '\cscript.exe'
28              - '\installutil.exe'
29              - '\mshta.exe'
30              - '\regsvr32.exe'
31              - '\rundll32.exe'
32              - '\wscript.exe'
33        - OriginalFileName:
34              - 'CALC.EXE'
35              - 'CertUtil.exe'
36              - 'CMSTP.EXE'
37              - 'cscript.exe'
38              - 'installutil.exe'
39              - 'MSHTA.EXE'
40              - 'REGSVR32.EXE'
41              - 'RUNDLL32.EXE'
42              - 'wscript.exe'
43    filter_main_currentdirectory:
44        CurrentDirectory|contains: 'C:\'
45    filter_main_empty:
46        CurrentDirectory: ''
47    filter_main_null:
48        CurrentDirectory: null
49    condition: selection and not 1 of filter_main_*
50falsepositives:
51    - Rare false positives could occur on servers with multiple drives.
52level: medium

References

Related rules

to-top