Detection: Windows DotNet Binary in Non Standard Path

Description

The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a list. If one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to Windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the list. Lookup - https://github.com/splunk/security_content/blob/develop/lookups/is_net_windows_file.csv.

Annotations

No annotations available.

Implementation

Collect endpoint data such as sysmon or 4688 events.

Known False Positives

False positives may be present and filtering may be required. Certain utilities will run from non-standard paths based on the third-party application in use.

Associated Analytic Story

• Masquerading - Rename System Utilities

• Unusual Processes

• Ransomware

• Signed Binary Proxy Execution InstallUtil

• WhisperGate

Risk Based Analytics (RBA)

References

• https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml

• https://attack.mitre.org/techniques/T1036/003/

• https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

• https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md

Version: 4