detecting_storscv_and_sprintcsp_dll.yml

title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
      type: similar
status: experimental
description: Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking
references:
    - https://decoded.avast.io/martinchlumecky/png-steganography/
    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://github.com/Wh04m1001/SysmonEoP
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022/12/01
modified: 2023/02/15
tags:
    - attack.defense_evasion
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1574.001
    - attack.t1574.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename:
            - 'C:\Windows\System32\WLBSCTRL.dll'
            - 'C:\Windows\System32\TSMSISrv.dll'
            - 'C:\Windows\System32\TSVIPSrv.dll'
            - 'C:\Windows\System32\wow64log.dll'
            - 'C:\Windows\System32\WptsExtensions.dll'
            - 'C:\Windows\System32\wbem\wbemcomn.dll'
        - TargetFilename|endswith: '\SprintCSP.dll'
    filter:
        Image|startswith: 'C:\Windows\System32\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium