Lolbin

Detection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.

A machine learning model detected a parent process spawning a cluster of suspicious Windows processes with high malicious probability scores, potentially indicating LOLBins usage and defense evasion.

This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.

Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.

Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.

This threat involves the suspicious copying of files from or to Windows system directories (System32, SysWOW64, WinSxS) using command-line tools, often employed by attackers to relocate LOLBINs for defense evasion.

Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.

Adversaries can use Living-Off-The-Land Binaries (LOLBINs) such as expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to establish network connections, potentially bypassing security controls and facilitating malicious activities on Windows systems.

The ProblemChild machine learning model detected a rare Windows process indicative of defense evasion, potentially involving LOLbins, on a host not commonly associated with malicious activity.