rare false positives could occur on servers with multiple drives.

windows
sigma

Techniques

Sample rules

LOLBIN Execution From Abnormal Drive

source: sigma
technicques:

Description

Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_currentdirectory:
  CurrentDirectory|contains: C:\
filter_main_empty:
  CurrentDirectory: ''
filter_main_null:
  CurrentDirectory: null
selection:
- Image|endswith:
  - \calc.exe
  - \certutil.exe
  - \cmstp.exe
  - \cscript.exe
  - \installutil.exe
  - \mshta.exe
  - \regsvr32.exe
  - \rundll32.exe
  - \wscript.exe
- OriginalFileName:
  - CALC.EXE
  - CertUtil.exe
  - CMSTP.EXE
  - cscript.exe
  - installutil.exe
  - MSHTA.EXE
  - REGSVR32.EXE
  - RUNDLL32.EXE
  - wscript.exe