Dumpbin LOLBin use for proxying execution via link.exe

Aug 25, 2022 · attack.Defense Evasion attack.T1218 ·

Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed, it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory.

Sigma rule (View on GitHub)

 1title: Dumpbin LOLBin use for proxying execution via link.exe 
 2description: Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed, 
 3             it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory. 
 4status: experimental
 5date: 2022/08/25
 6author: \@kostastsale
 7references:
 8    - https://twitter.com/0gtweet/status/1560732860935729152
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        Image|endswith:
15            - '\link.exe'
16        ParentImage|endswith:
17            - '\dumpbin.exe'
18    filter:
19        Image|endswith:
20            - '\bin\hostx64\x64\link.exe'
21            - '\bin\hostx86\x86\link.exe'
22        ParentImage|endswith:
23            - '\bin\hostx64\x64\dumpbin.exe'
24            - '\bin\hostx86\x86\dumpbin.exe'
25    condition: selection1 and not filter
26falsepositives:
27    - Unlikely
28level: high
29tags:
30    - attack.Defense Evasion
31    - attack.T1218

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More

Related rules

MSTeams exe side-loading - Update.exe