EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

LOLBIN Execution From Abnormal Drive

Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.

Detection Query

selection:
  - Image|endswith:
      - \calc.exe
      - \certutil.exe
      - \cmstp.exe
      - \cscript.exe
      - \installutil.exe
      - \mshta.exe
      - \regsvr32.exe
      - \rundll32.exe
      - \wscript.exe
  - OriginalFileName:
      - CALC.EXE
      - CertUtil.exe
      - CMSTP.EXE
      - cscript.exe
      - installutil.exe
      - MSHTA.EXE
      - REGSVR32.EXE
      - RUNDLL32.EXE
      - wscript.exe
filter_main_currentdirectory:
  CurrentDirectory|contains: C:\
filter_main_empty:
  CurrentDirectory: ""
filter_main_null:
  CurrentDirectory: null
condition: selection and not 1 of filter_main_*

Author

Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman

Created

2022-01-25

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: LOLBIN Execution From Abnormal Drive
id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
related:
    - id: 5b80cf53-3a46-4adc-960b-05ec19348d74
      type: similar
status: test
description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://www.scythe.io/library/threat-emulation-qakbot
    - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
date: 2022-01-25
modified: 2023-08-29
tags:
    - attack.defense-evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: add more lolbins for additional coverage
        - Image|endswith:
              - '\calc.exe'
              - '\certutil.exe'
              - '\cmstp.exe'
              - '\cscript.exe'
              - '\installutil.exe'
              - '\mshta.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'CALC.EXE'
              - 'CertUtil.exe'
              - 'CMSTP.EXE'
              - 'cscript.exe'
              - 'installutil.exe'
              - 'MSHTA.EXE'
              - 'REGSVR32.EXE'
              - 'RUNDLL32.EXE'
              - 'wscript.exe'
    filter_main_currentdirectory:
        CurrentDirectory|contains: 'C:\'
    filter_main_empty:
        CurrentDirectory: ''
    filter_main_null:
        CurrentDirectory: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Rare false positives could occur on servers with multiple drives.
level: medium