Potential Adplus.EXE Abuse

About the rule

Rule Type

Standard

Rule Description

AdPlus.exe is a Living Off the Land binary (LOLBin) found in the Windows Software Development Kit (SDK), often used to troubleshoot application crashes. LOLBins are legitimate tools or binaries native to the operating system that can be abused by attackers to execute malware, evading detection. Adplus.exe is one such binary exploited by attackers to dump credentials from the LSASS process memory. This rule detects the execution of the Adplus.exe binary to access LSASS credentials.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Defense Evasion → Credential Access → LSASS memory dumping

Impact

• Credential access
• Privilege abuse
• Defense evasion

Rule Requirement

Prerequisites

• Windows Event Viewer

Logon to Group Policy Management Console with administrative privileges and enable auditing for process creation and termination events. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

• Sysmon

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

(((( COMMANDLINE CONTAINS ""-hang"" ) OR ( COMMANDLINE CONTAINS ""-pn"" ) OR ( COMMANDLINE CONTAINS ""-pmn"" ) OR ( COMMANDLINE CONTAINS ""-p"" ) OR ( COMMANDLINE CONTAINS ""-po"" ) OR ( COMMANDLINE CONTAINS ""-c"" ) OR ( COMMANDLINE CONTAINS ""-sc"" ) )) AND ((( PROCESSNAME ENDS_WITH ""\\adplus.exe"" ) ) OR ((ORIGINALFILENAME = ""adplus.exe"" ))))

This rule is triggered when the executed process is associated with the following suspicious elements:

• \\adplus.exe or adplus.exe: Refers to the process or file associated with the AdPlus binary.
• -hang, -pn, -pmn, -p, -po, -c, -sc: Command line switches that are used along with AdPlus.exe for credential dumping.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.

When this rule is triggered, you're notified of the execution of AdPlus.exe. This enables you to identify credential harvesting attempts targeting LSASS and flag suspicious processes masquerading as legitimates ones.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule might be triggered when system administrators execute the AdPlus.exe process to troubleshoot application crashes or hangs.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Enable LSASS auditing: Continuously monitor system processes, detect process executions targeting the LSASS process memory, and limit dumping/debugging permissions to administrators only.

Mitigation