Nasreddine Bencherchali
38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
title: Use of Adplus.exe
|
|
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
|
|
status: experimental
|
|
description: The "AdPlus.exe" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands
|
|
author: Nasreddine Bencherchali
|
|
references:
|
|
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
|
|
- https://twitter.com/nas_bench/status/1534916659676422152
|
|
- https://twitter.com/nas_bench/status/1534915321856917506
|
|
date: 2022/06/09
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '\adplus.exe'
|
|
- OriginalFileName: 'Adplus.exe'
|
|
selection_cli:
|
|
CommandLine|contains:
|
|
# Dump process memory
|
|
- ' -hang '
|
|
- ' -pn '
|
|
- ' -pmn '
|
|
- ' -p '
|
|
- ' -po '
|
|
# Using a config file
|
|
- ' -c '
|
|
# Execute commands inline
|
|
- ' -sc '
|
|
condition: all of selection*
|
|
falsepositives:
|
|
- Legitimate usage of Adplus
|
|
level: medium
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.execution
|
|
- attack.t1003.001
|