New Recipes to Detect Suspicious LOLBin Processes

Added Suspicious LOLBin Process Detection - PowerShell

This PowerShell script scans running processes on a Windows system to detect suspicious activity involving common LOLBins (Living-Off-The-Land Binaries), legitimate system executables often abused by attackers. It checks if any LOLBin processes are running with command line arguments that match a list of suspicious keywords (such as URLs, encoded commands, or script file extensions).

If such suspicious usage is found, the script logs detailed information (process name, PID, user, command line, matched keyword) to a timestamped log file and outputs a concise summary of the detected suspicious processes. If no suspicious activity is found, it simply outputs a message stating no suspicious LOLBin processes were detected.

Added Suspicious LOLBin Process Detection - Custom Service.

This custom service scans running processes every 5 minutes on a Windows system to detect suspicious activity involving common LOLBins (Living-Off-The-Land Binaries), legitimate system executables often abused by attackers. It checks if any LOLBin processes are running with command line arguments that match a list of suspicious keywords (such as URLs, encoded commands, or script file extensions).

If such suspicious usage is found, the script logs detailed information (process name, PID, user, command line, matched keyword) to a timestamped log file and outputs a concise summary of the detected suspicious processes. If no suspicious activity is found, it simply outputs a message stating no suspicious LOLBin processes were detected.

Caveat: N-central can only run this script at 5-minute intervals, so while it can provide some insight into suspicious activity, it is not as comprehensive or timely as using a dedicated MDR (Managed Detection and Response) tool like Adlumin.