Fileless/Obfuscated LOLBin Attack Chain Detected
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
Detects chained usage of binaries like PowerShell / regsvr32 to execute malicious payloads via scripts. This indicates advanced evasion techniques leveraging LOLBins for fileless execution to bypass traditional security controls.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Detection Events" AND ((NAME = "attacker methodology" AND (MITRETACTIC = "ai powered ioa" OR MITRETACTIC = "execution")) AND SEVERITYLEVEL = "Critical,High" )
Action2:
actionname = "Process started" AND ((MESSAGE contains "regsvr" AND (PROCESSNAME endswith "regsvr32.exe" OR ORIGINALFILENAME = "regsvr32.exe")) AND COMMANDLINE contains "scrobj.dll" ) AND HOSTNAME = Action1.ENDPOINT_NAME AND USERNAME = Action1.USERNAME
sequence:Action1 followedby Action2 within 10m
select Action1.NAME,Action1.SEVERITYLEVEL,Action1.FILE_NAME,Action1.FILEPATH,Action1.ENDPOINT_NAME,Action1.DOMAIN,Action1.USERNAME,Action1.PATTERN,Action1.OUTCOME,Action1.MITRETACTIC,Action1.MITRETECHNIQUE,Action1.CATEGORY,Action1.COMMANDLINE,Action2.HOSTNAME,Action2.MESSAGE,Action2.COMMANDLINE,Action2.FILE_NAME,Action2.PROCESSNAME,Action2.USERNAME,Action2.PARENTPROCESSNAME,Action2.DOMAIN,Action2.ORIGINALFILENAME,Action2.PARENTPROCESSID,Action2.PROCESSID,Action2.PRODUCT_NAME,Action2.SECURITYID
Detection
Execution Mode
realtime
Log Sources
CrowdStrike Falcon


