Execution of renamed lolbin

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Masquerading (T1036)

Severity

Low

Description

Lolbins can be renamed and run as a way to avoid detection.

Attacker's Goals

Command execution via lolbins and detection avoidance via file rename.

Investigative actions

Isolate the host and verify if the file is malicious or not.

Variations

Execution of process that never seen before on the host from renamed lolbin process

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Masquerading (T1036)

Severity

Medium

Description

Lolbins can be renamed and run as a way to avoid detection.

Attacker's Goals

Command execution via lolbins and detection avoidance via file rename.

Investigative actions

Isolate the host and verify if the file is malicious or not.


Execution of unpopular renamed lolbin process from suspicious folder

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Masquerading (T1036)

Severity

Medium

Description

Lolbins can be renamed and run as a way to avoid detection.

Attacker's Goals

Command execution via lolbins and detection avoidance via file rename.

Investigative actions

Isolate the host and verify if the file is malicious or not.


Execution of unpopular renamed lolbin process

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Masquerading (T1036)

Severity

Medium

Description

Lolbins can be renamed and run as a way to avoid detection.

Attacker's Goals

Command execution via lolbins and detection avoidance via file rename.

Investigative actions

Isolate the host and verify if the file is malicious or not.