Skip to content

Hide Navigation Hide TOC

Potential Adplus.EXE Abuse (2f869d59-7f6a-4931-992c-cce556ff2d53)

Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.

Cluster A Galaxy A Cluster B Galaxy B Level
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Potential Adplus.EXE Abuse (2f869d59-7f6a-4931-992c-cce556ff2d53) Sigma-Rules 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2