security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml
T
frack113 1f8e37351e order yaml
2022-10-28 15:06:36 +02:00

31 lines
813 B
YAML
Raw Blame History

title: Suspicious Cmdl32 Execution
id: f37aba28-a9e6-4045-882c-d5004043b337
status: experimental
description: lolbas Cmdl32 is use to download a payload to evade antivirus
references:
- https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
- https://twitter.com/SwiftOnSecurity/status/1455897435063074824
author: frack113
date: 2021/11/03
modified: 2022/06/12
tags:
- attack.execution
- attack.defense_evasion
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmdl32.exe'
- OriginalFileName: CMDL32.EXE
selection_cli:
CommandLine|contains|all:
- '/vpn '
- '/lan '
condition: all of selection*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink