-
Notifications
You must be signed in to change notification settings - Fork 2
/
detecting_storscv_and_sprintcsp_dll.yml
42 lines (42 loc) · 1.63 KB
/
detecting_storscv_and_sprintcsp_dll.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
- id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
type: similar
status: experimental
description: Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://github.com/Wh04m1001/SysmonEoP
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022/12/01
modified: 2023/02/15
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename:
- 'C:\Windows\System32\WLBSCTRL.dll'
- 'C:\Windows\System32\TSMSISrv.dll'
- 'C:\Windows\System32\TSVIPSrv.dll'
- 'C:\Windows\System32\wow64log.dll'
- 'C:\Windows\System32\WptsExtensions.dll'
- 'C:\Windows\System32\wbem\wbemcomn.dll'
- TargetFilename|endswith: '\SprintCSP.dll'
filter:
Image|startswith: 'C:\Windows\System32\'
condition: selection and not filter
falsepositives:
- Unknown
level: medium