LoFP / utilization of this tool should not be seen in enterprise environment

Techniques

• t1027
• t1027.004

Sample rules

Visual Basic Command Line Compiler Usage

• source: sigma
• technicques:
  • t1027
  • t1027.004

Description

Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.

Detection logic

condition: selection
selection:
  Image|endswith: \cvtres.exe
  ParentImage|endswith: \vbc.exe