Drops a DLL with WLL extension to the startup

calendar May 3, 2021  ยท
Share on: linkedin copy

Drops a DLL with WLL extension to the startup

Sigma rule (View on GitHub)

 1title: Drops a DLL with WLL extension to the startup
 2status: experimental
 3description: Drops a DLL with WLL extension to the startup
 4author: Joe Security
 5date: 2020-03-16
 6id: 200064
 7threatname:
 8behaviorgroup: 2
 9classification: 8
10logsource:
11    service: sysmon
12    product: windows
13detection:
14    selection:
15        EventID: 11
16        TargetFilename:
17            - '*\appdata\roaming\microsoft\\*\startup\\*.wll*'
18    condition: selection
19level: critical
to-top