LOL-Binary Copied From System Directory

Rule Info

Name
LOL-Binary Copied From System Directory
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
Reference
https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
Date
2023-08-29 00:00:00
Modified
None
Id
f5d19838-41b5-476c-98d8-ba8af4929ee2
Tags
attack.defense_evasion attack.t1036.003 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f5d19838-41b5-476c-98d8-ba8af4929ee2

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4406 from @nasbench - Multiple Updates & Additions
2023-09-07
bdffe3a7f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022