Dumpbin LOLBin use for proxying execution via link.exe
Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed, it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory.
Sigma rule (View on GitHub)
1title: Dumpbin LOLBin use for proxying execution via link.exe
2description: Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed,
3 it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory.
4status: experimental
5date: 2022/08/25
6author: \@kostastsale
7references:
8 - https://twitter.com/0gtweet/status/1560732860935729152
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 Image|endswith:
15 - '\link.exe'
16 ParentImage|endswith:
17 - '\dumpbin.exe'
18 filter:
19 Image|endswith:
20 - '\bin\hostx64\x64\link.exe'
21 - '\bin\hostx86\x86\link.exe'
22 ParentImage|endswith:
23 - '\bin\hostx64\x64\dumpbin.exe'
24 - '\bin\hostx86\x86\dumpbin.exe'
25 condition: selection1 and not filter
26falsepositives:
27 - Unlikely
28level: high
29tags:
30 - attack.Defense Evasion
31 - attack.T1218