← Back to Explore
sigmahighHunting
MpiExec Lolbin
Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
Detection Query
selection_binary:
- Image|endswith: \mpiexec.exe
- Hashes|contains: IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217
selection_flags:
CommandLine|contains:
- " /n 1 "
- " -n 1 "
condition: all of selection*
Author
Florian Roth (Nextron Systems)
Created
2022-01-11
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.defense-evasionattack.t1218
Raw Content
title: MpiExec Lolbin
id: 729ce0ea-5d8f-4769-9762-e35de441586d
status: test
description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1465058133303246867
- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2024-11-23
tags:
- attack.execution
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_binary:
- Image|endswith: '\mpiexec.exe'
- Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217'
selection_flags:
CommandLine|contains:
- ' /n 1 '
- ' -n 1 '
condition: all of selection*
falsepositives:
- Unknown
level: high