security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/windows/process_creation/win_pc_susp_cmdl32_lolbas.yml
T
frack113 e058e56c22 fix unknown
2021-11-04 18:07:16 +01:00

30 lines
780 B
YAML
Raw Blame History

title: Suspicious Cmdl32 Execution
id: f37aba28-a9e6-4045-882c-d5004043b337
status: experimental
description: lolbas Cmdl32 is use to download a payload to evade antivirus
references:
- https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
- https://twitter.com/SwiftOnSecurity/status/1455897435063074824
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
- attack.t1202
author: frack113
date: 2021/11/03
logsource:
category: process_creation
product: windows
detection:
cmdl32:
- Image|endswith: '\cmdl32.exe'
- OriginalFileName: CMDL32.EXE
options:
CommandLine|contains|all:
- '/vpn '
- '/lan '
condition: cmdl32 and options
falsepositives:
- unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink