Skip to content

Hide Navigation Hide TOC

LOL-Binary Copied From System Directory (f5d19838-41b5-476c-98d8-ba8af4929ee2)

Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.

Cluster A Galaxy A Cluster B Galaxy B Level
LOL-Binary Copied From System Directory (f5d19838-41b5-476c-98d8-ba8af4929ee2) Sigma-Rules Rename System Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern 1
Rename System Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2