LoFP / legitimate use by an administrator

Techniques

t1059

Sample rules

Use of OpenConsole

source: sigma
technicques:
- t1059

Description

Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting

Detection logic

condition: selection and not filter
filter:
  Image|startswith: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal
selection:
- OriginalFileName: OpenConsole.exe
- Image|endswith: \OpenConsole.exe