Dumpbin LOLBin use for proxying execution via link.exe
Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed, it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory.
Sigma rule (View on GitHub)
1title: Dumpbin LOLBin use for proxying execution via link.exe
2id: c8cf90cc-61ac-4c59-ba8d-739ca0d4f392
3description: Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed,
4 it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory.
5status: experimental
6date: 2022/08/25
7author: \@kostastsale
8references:
9 - https://twitter.com/0gtweet/status/1560732860935729152
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection1:
15 Image|endswith:
16 - '\link.exe'
17 ParentImage|endswith:
18 - '\dumpbin.exe'
19 filter:
20 Image|endswith:
21 - '\bin\hostx64\x64\link.exe'
22 - '\bin\hostx86\x86\link.exe'
23 ParentImage|endswith:
24 - '\bin\hostx64\x64\dumpbin.exe'
25 - '\bin\hostx86\x86\dumpbin.exe'
26 condition: selection1 and not filter
27falsepositives:
28 - Unlikely
29level: high
30tags:
31 - attack.Defense Evasion
32 - attack.T1218
References
Related rules
- CMSTP installation of malicious code
- MSTeams exe side-loading - Update.exe
- Wermgr.exe spawning without command line arguments
- VSDiagnostics used for proxying execution malicious binaries