Fileless/Obfuscated LOLBin Attack Chain Detected

Last updated on:

About the rule

Rule Type

Advanced

Rule Description

Detects chained usage of binaries like PowerShell / regsvr32 to execute malicious payloads via scripts. This indicates advanced evasion techniques leveraging LOLBins for fileless execution to bypass traditional security controls.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Detection Events" AND ((NAME = "attacker methodology" AND (MITRETACTIC = "ai powered ioa" OR MITRETACTIC = "execution")) AND SEVERITYLEVEL = "Critical,High" ) Action2: actionname = "Process started" AND ((MESSAGE contains "regsvr" AND (PROCESSNAME endswith "regsvr32.exe" OR ORIGINALFILENAME = "regsvr32.exe")) AND COMMANDLINE contains "scrobj.dll" ) AND HOSTNAME = Action1.ENDPOINT_NAME AND USERNAME = Action1.USERNAME sequence:Action1 followedby Action2 within 10m select Action1.NAME,Action1.SEVERITYLEVEL,Action1.FILE_NAME,Action1.FILEPATH,Action1.ENDPOINT_NAME,Action1.DOMAIN,Action1.USERNAME,Action1.PATTERN,Action1.OUTCOME,Action1.MITRETACTIC,Action1.MITRETECHNIQUE,Action1.CATEGORY,Action1.COMMANDLINE,Action2.HOSTNAME,Action2.MESSAGE,Action2.COMMANDLINE,Action2.FILE_NAME,Action2.PROCESSNAME,Action2.USERNAME,Action2.PARENTPROCESSNAME,Action2.DOMAIN,Action2.ORIGINALFILENAME,Action2.PARENTPROCESSID,Action2.PROCESSID,Action2.PRODUCT_NAME,Action2.SECURITYID

Detection

Execution Mode

realtime

Log Sources

CrowdStrike Falcon