Detection Rules - lpe.exe (Arsenal-237 Privilege Escalation Module)
Overview
This detection guide focuses on identifying lpe.exe, a sophisticated local privilege escalation (LPE) wrapper from the Arsenal-237 malware toolkit. This executable employs five independent escalation techniques, providing 99.99%+ success rate across diverse Windows environments.
Malware Family: Arsenal-237 Privilege Escalation Wrapper
Severity: CRITICAL
Attack Chain Function: Wraps killer.dll/killer.exe and executes it with SYSTEM privileges to enable defense evasion
Typical Usage: lpe.exe C:\path\to\killer.dll
Last Updated: 2026-01-25
Detection Strategy
Priority 1: Behavioral Detection (HIGH CONFIDENCE)
Focus on privilege escalation API sequences and multi-technique patterns as highest-priority indicators.
Priority 2: File-Based Detection
Hash-based detection for known lpe.exe samples (SHA256: c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e).
Priority 3: Registry & Process Monitoring
Monitor for UAC bypass registry modifications and unusual process hierarchies (schtasks, wmic, fodhelper spawned by unexpected parents).
Table of Contents
- YARA Detection Rules
- Sigma Detection Rules
- EDR Hunting Queries
- SIEM Detection Rules
- Implementation Guidance
YARA Detection Rules
Rule 1: lpe.exe File Hash Detection
rule Arsenal237_LPE_EXE_Hash {
meta:
description = "Detects Arsenal-237 lpe.exe by file hash"
author = "Threat Intelligence Team"
date = "2026-01-25"
hash = "c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e"
severity = "CRITICAL"
family = "Arsenal-237"
condition:
hash.sha256(0, filesize) == "c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e" or
hash.md5(0, filesize) == "47400a6b7c84847db0513e6dbc04e469"
}
Rule 2: Token Manipulation API Pattern
rule Arsenal237_LPE_Token_Manipulation {
meta:
description = "Detects lpe.exe token impersonation API pattern"
author = "Threat Intelligence Team"
date = "2026-01-25"
severity = "HIGH"
technique = "T1134.001 - Token Impersonation"
strings:
$api1 = "CreateToolhelp32Snapshot" ascii wide
$api2 = "OpenProcessToken" ascii wide
$api3 = "DuplicateTokenEx" ascii wide
$api4 = "ImpersonateLoggedOnUser" ascii wide
$api5 = "Process32FirstW" ascii wide
$api6 = "Process32NextW" ascii wide
$process1 = "winlogon.exe" ascii wide nocase
$process2 = "lsass.exe" ascii wide nocase
$process3 = "services.exe" ascii wide nocase
$process4 = "csrss.exe" ascii wide nocase
condition:
uint16(0) == 0x5A4D and
all of ($api*) and
2 of ($process*)
}
Rule 3: UAC Bypass Registry Hijack Pattern
rule Arsenal237_LPE_UAC_Bypass {
meta:
description = "Detects lpe.exe UAC bypass via registry hijack"
author = "Threat Intelligence Team"
date = "2026-01-25"
severity = "HIGH"
technique = "T1548.002 - UAC Bypass"
strings:
$reg1 = "HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command" ascii wide nocase
$reg2 = "DelegateExecute" ascii wide
$reg3 = "reg add" ascii wide nocase
$reg4 = "fodhelper.exe" ascii wide nocase
$reg5 = "reg delete" ascii wide nocase
condition:
uint16(0) == 0x5A4D and
all of ($reg*)
}
Rule 4: Scheduled Task Privilege Escalation
Note: Unlike UAC bypass (hijacking fodhelper.exe) or named pipe (exploiting Print Spooler), this technique uses schtasks.exe directly through its administrative capabilities. Task names are likely randomized at runtime and not hardcoded in the malware.
rule Arsenal237_LPE_Schtasks {
meta:
description = "Detects lpe.exe scheduled task escalation via direct schtasks.exe use"
author = "Threat Intelligence Team"
date = "2026-01-25"
severity = "HIGH"
technique = "T1053.005 - Scheduled Task"
note = "Task name likely randomized - cannot rely on specific task names"
strings:
$schtasks1 = "schtasks" ascii wide nocase
$schtasks2 = "/create" ascii wide nocase
$schtasks3 = "/tn" ascii wide nocase
$schtasks4 = "/ru SYSTEM" ascii wide nocase
$schtasks5 = "/delete" ascii wide nocase
condition:
uint16(0) == 0x5A4D and
all of ($schtasks*)
}
Rule 5: Named Pipe Impersonation Pattern
rule Arsenal237_LPE_Named_Pipe {
meta:
description = "Detects lpe.exe named pipe impersonation"
author = "Threat Intelligence Team"
date = "2026-01-25"
severity = "HIGH"
technique = "T1055.001 - Named Pipe Impersonation"
strings:
$pipe1 = "CreateNamedPipeW" ascii wide
$pipe2 = "ImpersonateNamedPipeClient" ascii wide
$pipe3 = "ConnectNamedPipe" ascii wide
$pipe4 = "\\\\\\\\.\\\\pipe\\\\" ascii wide
$pipe5 = "spoolss" ascii wide nocase
$ps = "powershell" ascii wide nocase
$ps_pipe = "NamedPipeClientStream" ascii wide
condition:
uint16(0) == 0x5A4D and
(all of ($pipe*) or ($ps and $ps_pipe))
}
Rule 6: WMIC Process Creation Pattern
rule Arsenal237_LPE_WMIC {
meta:
description = "Detects lpe.exe WMIC process creation"
author = "Threat Intelligence Team"
date = "2026-01-25"
severity = "MEDIUM"
technique = "T1047 - WMI"
strings:
$wmic1 = "wmic" ascii wide nocase
$wmic2 = "process" ascii wide nocase
$wmic3 = "call" ascii wide nocase
$wmic4 = "create" ascii wide nocase
condition:
uint16(0) == 0x5A4D and
all of ($wmic*)
}
Sigma Detection Rules
Rule 1: Token Impersonation Detection
title: Privilege Escalation via Token Impersonation (lpe.exe)
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
status: experimental
description: Detects token impersonation sequence characteristic of lpe.exe
author: Threat Intelligence Team
date: 2026/01/25
references:
- lpe.exe analysis report
- Arsenal-237 malware toolkit investigation
tags:
- attack.privilege_escalation
- attack.t1134.001
logsource:
product: windows
category: process_access
detection:
selection_process_access:
TargetImage|endswith:
- '\\winlogon.exe'
- '\\lsass.exe'
- '\\services.exe'
- '\\csrss.exe'
GrantedAccess:
- '0x1410' # PROCESS_QUERY_INFORMATION | PROCESS_VM_READ
- '0x1000' # PROCESS_QUERY_LIMITED_INFORMATION
selection_api:
CallTrace|contains:
- 'OpenProcessToken'
- 'DuplicateTokenEx'
- 'ImpersonateLoggedOnUser'
condition: selection_process_access and selection_api
falsepositives:
- Legitimate administrative tools performing token operations (rare)
level: critical
Rule 2: UAC Bypass via Registry Hijack
title: UAC Bypass via ms-settings Registry Hijack (lpe.exe)
id: b2c3d4e5-f6a7-8901-2345-678901bcdefg
status: experimental
description: Detects UAC bypass via fodhelper.exe registry hijack (lpe.exe technique)
author: Threat Intelligence Team
date: 2026/01/25
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1548.002
logsource:
product: windows
category: registry_set
detection:
selection_registry:
TargetObject|contains:
- '\\Software\\Classes\\ms-settings\\Shell\\Open\\command'
EventType: SetValue
selection_fodhelper:
EventID: 1 # Process creation
Image|endswith: '\\fodhelper.exe'
ParentImage|endswith:
- '\\reg.exe'
- '\\lpe.exe'
timeframe: 30s
condition: selection_registry and selection_fodhelper
falsepositives:
- Legitimate software installation (extremely rare)
level: critical
Rule 3: Scheduled Task Creation as SYSTEM
title: Scheduled Task Created as SYSTEM (lpe.exe)
id: c3d4e5f6-a7b8-9012-3456-789012cdefgh
status: experimental
description: Detects scheduled task creation with SYSTEM privileges from non-administrative process (direct use of schtasks.exe, not hijacking another component)
author: Threat Intelligence Team
date: 2026/01/25
references:
- Task names are likely randomized - detection should focus on /ru SYSTEM parameter, not task name
tags:
- attack.privilege_escalation
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\\schtasks.exe'
CommandLine|contains|all:
- '/create'
- '/ru'
- 'SYSTEM'
filter_admin:
User|contains:
- 'NT AUTHORITY\\SYSTEM'
- 'Administrator'
condition: selection and not filter_admin
falsepositives:
- System administrators manually creating SYSTEM tasks (should be reviewed)
- Legitimate administrative scripts using schtasks.exe
level: high
Rule 4: Named Pipe Impersonation Attack
title: Named Pipe Impersonation Attack (lpe.exe)
id: d4e5f6a7-b8c9-0123-4567-890123defghi
status: experimental
description: Detects named pipe creation followed by impersonation attempt
author: Threat Intelligence Team
date: 2026/01/25
tags:
- attack.privilege_escalation
- attack.t1055.001
logsource:
product: windows
category: pipe_created
detection:
selection_pipe:
EventID: 17 # Sysmon pipe created
PipeName|contains:
- 'spoolss'
- 'pipe'
selection_powershell:
EventID: 1 # Process creation
Image|endswith: '\\powershell.exe'
CommandLine|contains: 'NamedPipeClientStream'
timeframe: 60s
condition: selection_pipe and selection_powershell
falsepositives:
- Legitimate administrative tools using named pipes (rare)
level: high
Rule 5: WMIC Process Creation for Privilege Escalation
title: WMIC Process Creation for Privilege Escalation (lpe.exe)
id: e5f6a7b8-c9d0-1234-5678-901234efghij
status: experimental
description: Detects WMIC being used to create processes for privilege escalation
author: Threat Intelligence Team
date: 2026/01/25
tags:
- attack.execution
- attack.privilege_escalation
- attack.t1047
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\\wmic.exe'
CommandLine|contains|all:
- 'process'
- 'call'
- 'create'
filter_admin:
User|contains:
- 'NT AUTHORITY\\SYSTEM'
- 'Administrator'
condition: selection and not filter_admin
falsepositives:
- Legitimate administrative scripts using WMIC (review context)
level: medium
Rule 6: Multi-Technique Privilege Escalation Correlation
title: Multi-Technique Privilege Escalation Sequence (lpe.exe)
id: f6a7b8c9-d0e1-2345-6789-012345fghijk
status: experimental
description: Detects multiple privilege escalation techniques attempted in rapid succession (lpe.exe signature)
author: Threat Intelligence Team
date: 2026/01/25
tags:
- attack.privilege_escalation
- attack.t1134.001
- attack.t1548.002
- attack.t1053.005
logsource:
product: windows
category: correlation
detection:
selection_token:
EventType: 'ProcessAccess'
TargetImage|endswith:
- '\\winlogon.exe'
- '\\lsass.exe'
selection_registry:
EventType: 'RegistrySet'
TargetObject|contains: 'ms-settings\\Shell\\Open\\command'
selection_schtasks:
Image|endswith: '\\schtasks.exe'
CommandLine|contains: '/ru SYSTEM'
timeframe: 60s
condition: 2 of selection_*
falsepositives:
- Extremely rare - investigate all matches
level: critical
EDR Hunting Queries
Microsoft Defender for Endpoint (KQL)
Query 1: Hunt for Token Impersonation
// Hunt for token impersonation API sequence characteristic of lpe.exe
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType in~ ("OpenProcessToken", "DuplicateTokenEx", "ImpersonateLoggedOnUser")
| where InitiatingProcessFileName !in~ ("services.exe", "lsass.exe", "svchost.exe") // Exclude legitimate system processes
| summarize TokenAPIs = make_set(ActionType), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256
| where array_length(TokenAPIs) >= 2 // At least 2 token manipulation APIs
| project Timestamp = FirstSeen, DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256, TokenAPIs, LastSeen
| sort by Timestamp desc
Query 2: Hunt for UAC Bypass via Registry
// Hunt for UAC bypass via ms-settings registry hijack
DeviceRegistryEvents
| where Timestamp > ago(30d)
| where RegistryKey has_all ("Software\\Classes\\ms-settings", "Shell\\Open\\command")
| where ActionType == "RegistryValueSet"
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "fodhelper.exe"
| where InitiatingProcessFileName !in~ ("explorer.exe", "userinit.exe")
) on DeviceName
| where (RegistryEvents_Timestamp - ProcessEvents_Timestamp) between (-60s .. 60s)
| project Timestamp, DeviceName, RegistryKey, RegistryValueData,
FodhelperParent = InitiatingProcessFileName, ProcessCommandLine
| sort by Timestamp desc
Query 3: Hunt for Scheduled Task SYSTEM Escalation
// Hunt for scheduled task creation with SYSTEM privileges
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has_all ("/create", "/ru", "SYSTEM")
| where AccountName !has "SYSTEM" and AccountName !has "Administrator"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessSHA256
| sort by Timestamp desc
Query 4: Hunt for Named Pipe Impersonation
// Hunt for named pipe creation followed by PowerShell connection attempt
let NamedPipeCreation =
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "NamedPipeEvent"
| project PipeCreationTime=Timestamp, DeviceId, PipeName;
let PowerShellPipeClient =
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "NamedPipeClientStream"
| project PSTime=Timestamp, DeviceId, ProcessCommandLine, InitiatingProcessFileName;
NamedPipeCreation
| join kind=inner PowerShellPipeClient on DeviceId
| where (PSTime - PipeCreationTime) between (0s .. 60s)
| project PipeCreationTime, PSTime, DeviceId, PipeName, ProcessCommandLine, InitiatingProcessFileName
| sort by PipeCreationTime desc
Query 5: Hunt for lpe.exe File Hash
// Hunt for lpe.exe by known file hash
DeviceFileEvents
| where Timestamp > ago(90d)
| where SHA256 == "c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e"
or MD5 == "47400a6b7c84847db0513e6dbc04e469"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Query 6: Hunt for Multi-Technique Escalation Pattern
// Hunt for multiple privilege escalation techniques from same process (lpe.exe signature)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("schtasks.exe", "wmic.exe", "reg.exe", "powershell.exe")
or ProcessCommandLine has_any ("OpenProcessToken", "DuplicateTokenEx", "fodhelper.exe")
| summarize Techniques = make_set(FileName), Commands = make_set(ProcessCommandLine),
FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
by DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256
| where array_length(Techniques) >= 2 // Multiple techniques attempted
| where (LastSeen - FirstSeen) < 60s // Within 60 second window
| project FirstSeen, DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256, Techniques, Commands
| sort by FirstSeen desc
CrowdStrike Falcon (Event Search)
// Hunt for lpe.exe privilege escalation indicators in Falcon
event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2, AsepValueUpdate, NamedPipeEvent, ScheduledTaskRegistered)
| search (FileName IN ("lpe.exe", "schtasks.exe", "wmic.exe", "reg.exe", "fodhelper.exe") AND
CommandLine IN ("*OpenProcessToken*", "*DuplicateTokenEx*", "*ImpersonateLoggedOnUser*",
"*ms-settings*", "*/ru SYSTEM*", "*process call create*", "*NamedPipeClientStream*"))
OR (SHA256HashData="c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e")
OR (TargetFileName IN ("winlogon.exe", "lsass.exe", "services.exe", "csrss.exe") AND SourceProcessId_decimal!="")
OR (RegObjectName="*\\Software\\Classes\\ms-settings\\Shell\\Open\\command*")
| table _time, ComputerName, FileName, CommandLine, SHA256HashData, ParentBaseFileName, event_simpleName
| sort -_time
SentinelOne (Deep Visibility Query)
-- Hunt for lpe.exe privilege escalation patterns in SentinelOne
EventType IN ("Process Creation", "Registry", "Process Access", "Named Pipe")
AND (
(SrcProcCmdLine ContainsCIS "OpenProcessToken" OR SrcProcCmdLine ContainsCIS "DuplicateTokenEx")
OR (TgtFilePath EndsWith "winlogon.exe" OR TgtFilePath EndsWith "lsass.exe" OR TgtFilePath EndsWith "services.exe")
OR (RegistryKeyPath Contains "\\Software\\Classes\\ms-settings\\Shell\\Open\\command")
OR (SrcProcName = "schtasks.exe" AND SrcProcCmdLine ContainsCIS "/ru SYSTEM")
OR (SrcProcName = "wmic.exe" AND SrcProcCmdLine ContainsCIS "process call create")
OR (SrcProcName = "fodhelper.exe" AND SrcProcParentName NOT IN ("explorer.exe", "userinit.exe"))
OR (SrcProcSHA256 = "c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e")
)
SIEM Detection Rules
Splunk SPL Queries
Query 1: Token Impersonation Detection
index=endpoint sourcetype=sysmon EventCode=10
| search (TargetImage="*\\winlogon.exe" OR TargetImage="*\\lsass.exe" OR TargetImage="*\\services.exe" OR TargetImage="*\\csrss.exe")
| search GrantedAccess IN ("0x1410", "0x1000", "0x1FFFFF")
| where SourceImage!="*\\services.exe" AND SourceImage!="*\\lsass.exe" AND SourceImage!="*\\svchost.exe"
| stats count, values(TargetImage) as TargetProcesses, earliest(_time) as FirstSeen, latest(_time) as LastSeen by SourceImage, SourceProcessId, Computer
| eval TimeWindow = LastSeen - FirstSeen
| where TimeWindow < 60
| table _time, Computer, SourceImage, SourceProcessId, TargetProcesses, count, TimeWindow
| sort -_time
Query 2: UAC Bypass Registry Modification
index=endpoint sourcetype=sysmon EventCode=13
| search TargetObject="*\\Software\\Classes\\ms-settings\\Shell\\Open\\command*"
| join Computer [
search index=endpoint sourcetype=sysmon EventCode=1 Image="*\\fodhelper.exe"
| eval fodhelper_time=_time
]
| eval time_diff = abs(_time - fodhelper_time)
| where time_diff < 60
| table _time, Computer, TargetObject, Details, Image, ParentImage, CommandLine
| sort -_time
Query 3: Scheduled Task SYSTEM Creation
index=endpoint sourcetype=sysmon EventCode=1 Image="*\\schtasks.exe"
| search CommandLine="*/create*" AND CommandLine="*/ru*" AND CommandLine="*SYSTEM*"
| where User!="NT AUTHORITY\\SYSTEM" AND User!="*Administrator*"
| table _time, Computer, User, CommandLine, ParentImage, ParentCommandLine
| sort -_time
Query 4: Named Pipe Impersonation
index=endpoint sourcetype=sysmon (EventCode=17 OR EventCode=18)
| search PipeName="*spoolss*" OR PipeName="*pipe*"
| join Computer [
search index=endpoint sourcetype=sysmon EventCode=1 Image="*\\powershell.exe" CommandLine="*NamedPipeClientStream*"
| eval ps_time=_time
]
| eval time_diff = abs(_time - ps_time)
| where time_diff < 60
| table _time, Computer, PipeName, EventType, Image, CommandLine
| sort -_time
Query 5: lpe.exe File Hash Detection
index=endpoint (sourcetype=sysmon EventCode=1 OR sourcetype=windows:security EventID=4688)
| search (SHA256="c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e" OR
MD5="47400a6b7c84847db0513e6dbc04e469" OR
OriginalFileName="lpe.exe")
| table _time, Computer, User, Image, CommandLine, ParentImage, SHA256, MD5
| sort -_time
Query 6: Multi-Technique Correlation
index=endpoint sourcetype=sysmon
| search (EventCode=10 TargetImage IN ("*\\winlogon.exe", "*\\lsass.exe")) OR
(EventCode=13 TargetObject="*ms-settings*") OR
(EventCode=1 Image="*\\schtasks.exe" CommandLine="*/ru SYSTEM*") OR
(EventCode=1 Image="*\\wmic.exe" CommandLine="*process call create*")
| bin _time span=60s
| stats count, values(EventCode) as EventCodes, values(Image) as Images by _time, Computer
| where count >= 2
| table _time, Computer, count, EventCodes, Images
| sort -_time
Elastic Stack (EQL)
Query 1: Token Impersonation Sequence
sequence by host.id with maxspan=30s
[process where event.action == "process_access" and
process.name in ("winlogon.exe", "lsass.exe", "services.exe", "csrss.exe") and
not process.parent.name in ("services.exe", "lsass.exe", "svchost.exe")]
[api where api.name in ("OpenProcessToken", "DuplicateTokenEx", "ImpersonateLoggedOnUser")]
Query 2: UAC Bypass Sequence
sequence by host.id with maxspan=60s
[registry where registry.path : "*\\\\Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command*"]
[process where event.action == "start" and
process.name == "fodhelper.exe" and
not process.parent.name in ("explorer.exe", "userinit.exe")]
Implementation Guidance
Deployment Priorities
- Immediate (Day 1):
- Deploy file hash detection (YARA Rule 1, EDR Query 5)
- Enable Sysmon Event ID 10 (Process Access) logging for token manipulation detection
- Deploy Sigma Rule 1 (Token Impersonation) and Rule 2 (UAC Bypass)
- Short-Term (Week 1):
- Deploy all YARA rules to endpoint protection platforms
- Implement multi-technique correlation detection (Sigma Rule 6)
- Enable enhanced logging for registry modifications (Sysmon Event ID 13)
- Deploy Splunk/Elastic queries for threat hunting
- Medium-Term (Month 1):
- Tune false positive rates for behavioral detections
- Implement automated response playbooks (isolation on detection)
- Create custom EDR rules for Arsenal-237 attack chain detection
- Deploy CrowdStrike/SentinelOne custom IOAs
Testing Recommendations
- Lab Environment Testing:
- Test all detection rules in isolated lab before production deployment
- Validate true positive detection without false positives
- Test automated response playbooks (ensure isolation works correctly)
- Baseline Establishment:
- Establish baseline for privilege escalation API calls in your environment
- Document legitimate use cases for token manipulation (administrative tools)
- Tune detection thresholds based on environment characteristics
- Validation Approach:
- Use MITRE ATT&CK evaluation data for validation
- Test against known lpe.exe samples in sandbox
- Verify detection across Windows versions (7, 10, 11, Server 2016/2019/2022)
Response Automation
Recommended Automated Actions:
- Immediate Isolation: Network isolation on token impersonation detection
- Evidence Preservation: Automated memory dump capture before isolation
- Credential Rotation: Automatic service account password reset on SYSTEM compromise detection
- Threat Hunting: Automated search for killer.dll and enc_*.exe on affected systems
Related Resources
- lpe.exe Main Report
- lpe.exe IOC Feed
- killer.dll Detection Rules (Subsequent stage)
- MITRE ATT&CK: T1134.001 - Access Token Manipulation: Token Impersonation/Theft
- MITRE ATT&CK: T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
- MITRE ATT&CK: T1053.005 - Scheduled Task/Job: Scheduled Task
- MITRE ATT&CK: T1047 - Windows Management Instrumentation
Version: 1.0 Last Updated: 2026-01-25 Next Review: 2026-02-25
END OF DETECTION RULES