/
proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
52 lines (52 loc) · 1.73 KB
/
proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
title: LOLBIN Execution From Abnormal Drive
id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
related:
- id: 5b80cf53-3a46-4adc-960b-05ec19348d74
type: similar
status: test
description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- https://www.scythe.io/library/threat-emulation-qakbot
- https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
date: 2022/01/25
modified: 2023/08/29
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: add more lolbins for additional coverage
- Image|endswith:
- '\calc.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- OriginalFileName:
- 'CALC.EXE'
- 'CertUtil.exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'installutil.exe'
- 'MSHTA.EXE'
- 'REGSVR32.EXE'
- 'RUNDLL32.EXE'
- 'wscript.exe'
filter_main_currentdirectory:
CurrentDirectory|contains: 'C:\'
filter_main_empty:
CurrentDirectory: ''
filter_main_null:
CurrentDirectory: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Rare false positives could occur on servers with multiple drives.
level: medium