Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Lolbins can be renamed and run as a way to avoid detection.
Attacker's Goals
Command execution via lolbins and detection avoidance via file rename.
Investigative actions
Isolate the host and verify if the file is malicious or not.
Variations
Execution of process that never seen before on the host from renamed lolbin processExecution of unpopular renamed lolbin process from suspicious folder
Execution of unpopular renamed lolbin process