Detectionmediumtest
LOLBIN Execution From Abnormal Drive
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Christopher Peacock, SCYTHE, Angelo Violetti - SEC Consult, Aaron HermanCreated Tue Jan 25Updated Tue Aug 29d4ca7c59-e9e4-42d8-bf57-91a776efcb87windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection:
# Note: add more lolbins for additional coverage
- Image|endswith:
- '\calc.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- OriginalFileName:
- 'CALC.EXE'
- 'CertUtil.exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'installutil.exe'
- 'MSHTA.EXE'
- 'REGSVR32.EXE'
- 'RUNDLL32.EXE'
- 'wscript.exe'
filter_main_currentdirectory:
CurrentDirectory|contains: 'C:\'
filter_main_empty:
CurrentDirectory: ''
filter_main_null:
CurrentDirectory: null
condition: selection and not 1 of filter_main_*False Positives
Rare false positives could occur on servers with multiple drives.
MITRE ATT&CK
Tactics
Related Rules
Similar
Rule not found5b80cf53-3a46-4adc-960b-05ec19348d74
Rule Metadata
Rule ID
d4ca7c59-e9e4-42d8-bf57-91a776efcb87
Status
test
Level
medium
Type
Detection
Created
Tue Jan 25
Modified
Tue Aug 29
Path
rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
Raw Tags
attack.defense-evasion