
Summary
This detection rule identifies the execution of the OpenConsole binary, a known living-off-the-land binary (LOLBIN) on Windows systems. The purpose of this rule is to detect attempts to misuse this utility for launching other binaries as a method of evading application whitelisting mechanisms. The primary detection logic examines process creation events to identify instances where OpenConsole.exe is executed in environments where it may not be deemed legitimate, specifically filtering out instances that stem from applications within the Windows Terminal directory. This rule thus helps in identifying potentially malicious activity, especially in environments where application whitelisting is in place and could be bypassed by such legitimate-looking tools.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2022-06-16