Find sigma rule

Attack: Signed Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

MITRE

Tactic

defense-evasion

technique

T1218

Test : LOLBAS CustomShellHost to Spawn Process

OS

windows

Description:

This test simulates an adversary copying customshellhost.exe and calc.exe from C:\windows\system32\ to C:\temp\, renaming calc.exe to explorer.exe. Upon execution, customshellhost.exe will spawn calc.exe. Note this will only work on Windows 10 or 11. LOLBAS BishopFox

Executor

powershell

Sigma Rule

proc_creation_win_susp_copy_system_dir_lolbin.yml (id: f5d19838-41b5-476c-98d8-ba8af4929ee2)
proc_creation_win_susp_copy_system_dir.yml (id: fff9d2b7-e11c-4a69-93d3-40ef66189767)
proc_creation_win_susp_system_exe_anomaly.yml (id: e4a6b256-3e47-40fc-89d2-7a477edd6915)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test