Techniques
Sample rules
Potential Adplus.EXE Abuse
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects execution of “AdPlus.exe”, a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' -hang '
- ' -pn '
- ' -pmn '
- ' -p '
- ' -po '
- ' -c '
- ' -sc '
selection_img:
- Image|endswith: \adplus.exe
- OriginalFileName: Adplus.exe