PlugX DLL Search Order Hijacking Using Avast wsc_proxy (RedCanary Threat Detection Report)
Detects possible DLL Search Order hijacking using Avast antivirus wsc_proxy application. This technique is associated with PlugX. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: PlugX DLL Search Order Hijacking Using Avast wsc_proxy (RedCanary Threat Detection Report)
2id: c518ac74-2e2b-4197-84d7-ea5118c557eb
3status: experimental
4description: |
5 Detects possible DLL Search Order hijacking using Avast antivirus wsc_proxy application.
6 This technique is associated with PlugX. Part of the RedCanary 2023 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/threats/raspberry-robin/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12 - attack.s0013
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\wsc_proxy.exe'
19 filter:
20 Image|contains: '\program files\'
21 condition: selection and not filter
22falsepositives:
23 - Could be the result of an administrator installing the application in a custom path
24level: low```