wtfbins icon indicating copy to clipboard operation
wtfbins copied to clipboard
verified publisher icon mttaggart

[New WTFBin]: Update.exe

Open redblueops opened this issue 1 year ago • 1 comments

  • **Contributor Name: Alexandros Pappas
  • **Application/Executable: Update.exe
  • **WTF Behavior Description: 'LOLBIN created a PowerShell script file Prevent' generated by XDR BIOC detected on host XXXX involving user XXXX\XXXX
  • **Link to Documentation of Behavior: N/A
  • **Please provide any images for additional evidence. Please see attached images. wtfbin wtfbin1 wtfbin2

redblueops avatar Aug 29 '24 09:08 redblueops

Hey @redblueops, thank you for the submission!

I think this one needs a bit more detail. Update.exe is a common tool used by Squirrel apps, and its behavior is largely up to the updating application. This is not necessarily an unexpected behavior for an installation/update service. This seems more like a tuning issue for the XDR.

Unless this particular PowerShell script is particularly weird, I am gonna close this one out.

mttaggart avatar Oct 14 '24 03:10 mttaggart