title: Kavremover Dropped Binary LOLBIN Usage
id: d047726b-c71c-4048-a99b-2e2f50dc107d
status: test
description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
references:
    - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: ' run run-cmd '
    filter_main_legit_parents:
        ParentImage|endswith:
            - '\cleanapi.exe' # When launched from KES installer
            - '\kavremover.exe' # When launched from kavremover.exe
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
    - https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - ' -e '
            - ' --eval '
    # Add more pattern of abuse as actions
    selection_action_reverse_shell:
        CommandLine|contains|all:
            - '.exec('
            - 'net.socket'
            - '.connect'
            - 'child_process'
    condition: selection_main and 1 of selection_action_*
falsepositives:
    - Unlikely
level: high

title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
related:
    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
      type: similar
    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
      type: similar
    - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
      type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
modified: 2025-02-24
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - ':\Windows\Microsoft.NET\Framework\'
            - ':\Windows\Microsoft.NET\Framework64\'
            - ':\Windows\Microsoft.NET\FrameworkArm\'
            - ':\Windows\Microsoft.NET\FrameworkArm64\'
        Image|endswith: '\aspnet_compiler.exe'
        CommandLine|contains:
            # Note: add other potential suspicious paths
            - '\Users\Public\'
            - '\AppData\Local\Temp\'
            - '\AppData\Local\Roaming\'
            - ':\Temp\'
            - ':\Windows\Temp\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Remote Thread Creation Ttdinject.exe Proxy
id: c15e99a3-c474-48ab-b9a7-84549a7a9d16
status: test
description: Detects a remote thread creation of Ttdinject.exe used as proxy
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
author: frack113
date: 2022-05-16
modified: 2022-06-02
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith: '\ttdinject.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Silenttrinity Stager Msbuild Activity
id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
status: test
description: Detects a possible remote connections to Silenttrinity c2
references:
    - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
author: Kiran kumar s, oscd.community
date: 2020-10-11
modified: 2022-10-05
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\msbuild.exe'
    filter:
        DestinationPort:
            - 80
            - 443
        Initiated: 'true'
    condition: selection and filter
falsepositives:
    - Unknown
level: high

title: Suspicious Child Process of AspNetCompiler
id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
related:
    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
      type: similar
    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
      type: similar
    - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
      type: similar
status: test
description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\aspnet_compiler.exe'
    selection_child:
        # Note: add other potential suspicious child processes and paths
        - Image|endswith:
              - '\calc.exe'
              - '\notepad.exe'
        - Image|contains:
              - '\Users\Public\'
              - '\AppData\Local\Temp\'
              - '\AppData\Local\Roaming\'
              - ':\Temp\'
              - ':\Windows\Temp\'
              - ':\Windows\System32\Tasks\'
              - ':\Windows\Tasks\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
    Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
    server, creates a file with suspicious file type, indicating that it may be an executable, script file,
    or otherwise unusual.
references:
    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.initial-access
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1105
    - attack.t1133
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\ArcSOC.exe'
        TargetFilename|endswith:
            - '.ahk'
            - '.aspx'
            - '.au3'
            - '.bat'
            - '.cmd'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.py'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Suspicious Use of CSharp Interactive Console
id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
status: test
description: Detects the execution of CSharp interactive console by PowerShell
references:
    - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
author: Michael R. (@nahamike01)
date: 2020-03-08
modified: 2022-07-14
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\csi.exe'
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\powershell_ise.exe'
        OriginalFileName: 'csi.exe'
    condition: selection
falsepositives:
    - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.
level: high

title: AspNetCompiler Execution
id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
related:
    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
      type: similar
    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
      type: similar
    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
      type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: frack113
date: 2021-11-24
modified: 2025-02-24
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - ':\Windows\Microsoft.NET\Framework\'
            - ':\Windows\Microsoft.NET\Framework64\'
            - ':\Windows\Microsoft.NET\FrameworkArm\'
            - ':\Windows\Microsoft.NET\FrameworkArm64\'
        Image|endswith: '\aspnet_compiler.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: C# IL Code Compilation Via Ilasm.EXE
id: 850d55f9-6eeb-4492-ad69-a72338f65ba4
status: test
description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ilasm/
    - https://www.echotrail.io/insights/search/ilasm.exe
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-07
modified: 2022-05-16
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\ilasm.exe'
        - OriginalFileName: 'ilasm.exe'
    selection_cli:
        CommandLine|contains:
            - ' /dll'
            - ' /exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Detection of PowerShell Execution via Sqlps.exe
id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
status: test
description: |
  This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
    - https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
    - https://twitter.com/bryon_/status/975835709587075072
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-10
modified: 2022-12-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\sqlps.exe'
    selection_image:
        - Image|endswith: '\sqlps.exe'
        - OriginalFileName: 'sqlps.exe'
    filter_image:
        ParentImage|endswith: '\sqlagent.exe'
    condition: selection_parent or (selection_image and not filter_image)
falsepositives:
    - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
level: medium

title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
    - https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
    filter:
        CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Potential Binary Proxy Execution Via Cdb.EXE
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
    - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
    - https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2024-04-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1106
    - attack.t1218
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cdb.exe'
        - OriginalFileName: 'CDB.Exe'
    selection_cli:
        CommandLine|contains:
            - ' -c ' # Using a debugger script
            - ' -cf '
    condition: all of selection*
falsepositives:
    - Legitimate use of debugging tools
level: medium

title: Potential Mftrace.EXE Abuse
id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
status: test
description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-08-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mftrace.exe'
    condition: selection
falsepositives:
    - Legitimate use for tracing purposes
level: medium

title: SQL Client Tools PowerShell Session Detection
id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
status: test
description: |
  This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml
    - https://twitter.com/pabraeken/status/993298228840992768
author: 'Agro (@agro_sev) oscd.communitly'
date: 2020-10-13
modified: 2022-02-25
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\sqltoolsps.exe'
        - ParentImage|endswith: '\sqltoolsps.exe'
        - OriginalFileName: '\sqltoolsps.exe'
    filter:
        ParentImage|endswith: '\smss.exe'
    condition: selection and not filter
falsepositives:
    - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
level: medium

title: Use of Remote.exe
id: 4eddc365-79b4-43ff-a9d7-99422dc34b93
status: test
description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
references:
    - https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-02
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\remote.exe'
        - OriginalFileName: 'remote.exe'
    condition: selection
falsepositives:
    - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg).
level: medium

title: Use of TTDInject.exe
id: b27077d6-23e6-45d2-81a0-e2b356eea5fd
status: test
description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
author: frack113
date: 2022-05-16
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: 'ttdinject.exe'
        - OriginalFileName: 'TTDInject.EXE'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Use of VSIISExeLauncher.exe
id: 18749301-f1c5-4efc-a4c3-276ff1f5b6f8
status: test
description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\VSIISExeLauncher.exe'
        - OriginalFileName: 'VSIISExeLauncher.exe'
    selection_cli:
        CommandLine|contains:
            - ' -p '
            - ' -a '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Use of Wfc.exe
id: 49be8799-7b4d-4fda-ad23-cafbefdebbc5
status: test
description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\wfc.exe'
        - OriginalFileName: 'wfc.exe'
    condition: selection
falsepositives:
    - Legitimate use by a software developer
level: medium

title: JScript Compiler Execution
id: 52788a70-f1da-40dd-8fbd-73b5865d6568
status: test
description: |
    Detects the execution of the "jsc.exe" (JScript Compiler).
    Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
    - https://www.phpied.com/make-your-javascript-a-windows-exe/
    - https://twitter.com/DissectMalware/status/998797808907046913
author: frack113
date: 2022-05-02
modified: 2024-04-24
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\jsc.exe'
        - OriginalFileName: 'jsc.exe'
    condition: selection
falsepositives:
    - Legitimate use to compile JScript by developers.
# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
level: low