/
image_load_side_load_abused_dlls_susp_paths.yml
47 lines (47 loc) · 1.59 KB
/
image_load_side_load_abused_dlls_susp_paths.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
title: Abusable DLL Potential Sideloading From Suspicious Location
id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
status: experimental
description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
references:
- https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023/07/11
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith:
# Note: Add more generic DLLs that cannot be pin-pointed to a single application
- '\coreclr.dll'
- '\facesdk.dll'
- '\HPCustPartUI.dll'
- '\libcef.dll'
- '\ZIPDLL.dll'
selection_folders_1:
ImageLoaded|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favorites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favourites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Contacts\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: high