Skip to content

Add ADS abuse and signed-binary LOLBIN detection rules#6092

Open
einlamye wants to merge 3 commits into
SigmaHQ:masterfrom
einlamye:sigma-pr3-ads-abuse-lolbins
Open

Add ADS abuse and signed-binary LOLBIN detection rules#6092
einlamye wants to merge 3 commits into
SigmaHQ:masterfrom
einlamye:sigma-pr3-ads-abuse-lolbins

Conversation

@einlamye

Copy link
Copy Markdown
Contributor

Summary of the Pull Request

Adds detection coverage for NTFS Alternate Data Stream (ADS, T1564.004) hiding/execution via Living-Off-The-Land binaries, and for signed Microsoft binaries abused for proxy execution / application-whitelisting bypass / remote ingress (T1127 / T1218 / T1105). All rules reference the corresponding LOLBAS-Project entries.

Changelog

new: Esentutl Write To Alternate Data Stream
new: Expand Write To Alternate Data Stream
new: Forfiles Command Execution From Alternate Data Stream
new: Makecab Compression Into Alternate Data Stream
new: Remote File Download Via Signed Microsoft LOLBin
new: Tar Archive Into Alternate Data Stream
new: Application Whitelisting Bypass Via Microsoft.Workflow.Compiler.EXE
new: Proxy Execution Via Mscopilot.EXE GPU-Launcher
new: Application Whitelisting Bypass Via Syssetup.DLL
new: Alternate Data Stream Manipulation Via Streams.EXE
new: Potential AWL Bypass Via Vstest.Console.EXE

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant