Skip to content

Hide Navigation Hide TOC

Bad Opsec Defaults Sacrificial Processes With Improper Arguments (a7c3d773-caef-227e-a7e7-c2f13c622329)

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Cluster A Galaxy A Cluster B Galaxy B Level
Bad Opsec Defaults Sacrificial Processes With Improper Arguments (a7c3d773-caef-227e-a7e7-c2f13c622329) Sigma-Rules Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2