Nasreddine Bencherchali
26 lines
952 B
YAML
26 lines
952 B
YAML
title: Kavremover Dropped Binary LOLBIN Usage
|
|
id: d047726b-c71c-4048-a99b-2e2f50dc107d
|
|
status: experimental
|
|
description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
|
|
references:
|
|
- https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/11/01
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection:
|
|
CommandLine|contains: ' run run-cmd '
|
|
filter:
|
|
ParentImage|endswith:
|
|
- '\kavremover.exe' # When launched from kavremover.exe
|
|
- '\cleanapi.exe' # When launched from KES installer
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1127
|