Rule Info
Name
LOL-Binary Copied From System Directory
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
Date
2023-08-29 00:00:00
Modified
None
Id
f5d19838-41b5-476c-98d8-ba8af4929ee2
Tags
attack.defense-evasion attack.t1036.003 DEMO
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
github-actions[bot]
Merge PR #4891 from @nasbench - Promote older rules status from `experimental` to `test`
2024-07-01
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18
Nasreddine Bencherchali
Merge PR #4406 from @nasbench - Multiple Updates & Additions
2023-09-07