← Back to Explore
sigmahighHunting
Wab Execution From Non Default Location
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Detection Query
selection:
Image|endswith:
- \wab.exe
- \wabmig.exe
filter:
Image|startswith:
- C:\Windows\WinSxS\
- C:\Program Files\Windows Mail\
- C:\Program Files (x86)\Windows Mail\
condition: selection and not filter
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-12
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.stealth
Raw Content
title: Wab Execution From Non Default Location
id: 395907ee-96e5-4666-af2e-2ca91688e151
status: test
description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
references:
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2022-09-27
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\wab.exe'
- '\wabmig.exe'
filter:
Image|startswith:
- 'C:\Windows\WinSxS\'
- 'C:\Program Files\Windows Mail\'
- 'C:\Program Files (x86)\Windows Mail\'
condition: selection and not filter
falsepositives:
- Unknown
level: high