heroui logo

LOLBIN Execution From Abnormal Drive

Sigma Rules

View Source
Summary
This detection rule aims to identify the execution of Living Off the Land Binaries (LOLBINs) from abnormal or uncommon drives, specifically targeting instances where these binaries run from sources such as mounted ISOs. The rule leverages process creation events to inspect operations involving key Windows executables that are frequently exploited in cyber attacks, including 'calc.exe', 'certutil.exe', 'cmstp.exe', and similar binaries. It employs a selection criteria that matches processes based on their image names or original file names, restricting the search to instances where the current working directory does not reflect a typical C: drive, thereby raising alerts on potential malicious behaviors exploiting LOLBINs. The execution context, such as the presence of an empty or null current directory, is applied to enhance the accuracy of detection and minimize false positives. Given that such activity is often associated with advanced persistent threats or ransomware incidents, monitoring for this behavior serves as a critical component in proactive defense strategies against malicious actors utilizing legitimate tools for nefarious purposes.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2022-01-25