LOL-Binary Copied From System Directory
Nasreddine Bencherchali (Nextron Systems)
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
attack.defense_evasion attack.t1036.003 DEMO
Link to Public Repo
Merge PR #4406 from @nasbench - Multiple Updates & Additions