Uncommon Link.EXE Parent Process
Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
Image|endswith: '\link.exe'
CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc
# Add other filters for other legitimate locations
filter_main_visual_studio:
ParentImage|startswith:
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
ParentImage|contains:
- '\VC\bin\'
- '\VC\Tools\'
condition: selection and not 1 of filter_main_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Techniques