/
proc_creation_win_adplus_memory_dump.yml
38 lines (38 loc) · 1.22 KB
/
proc_creation_win_adplus_memory_dump.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
title: Potential Adplus.EXE Abuse
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
status: test
description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
- https://twitter.com/nas_bench/status/1534916659676422152
- https://twitter.com/nas_bench/status/1534915321856917506
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/06/09
modified: 2023/06/23
tags:
- attack.defense_evasion
- attack.execution
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\adplus.exe'
- OriginalFileName: 'Adplus.exe'
selection_cli:
CommandLine|contains:
# Dump process memory
- ' -hang '
- ' -pn '
- ' -pmn '
- ' -p '
- ' -po '
# Using a config file
- ' -c '
# Execute commands inline
- ' -sc '
condition: all of selection_*
falsepositives:
- Legitimate usage of Adplus for debugging purposes
level: high