Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32

Aug 12, 2024 · attack.defense-evasion attack.t1218.010 detection.emerging-threats ·

Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local

Sigma rule (View on GitHub)

 1title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
 2id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
 3status: test
 4description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
 5references:
 6    - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
 7author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 8date: 2019-10-02
 9modified: 2023-03-29
10tags:
11    - attack.defense-evasion
12    - attack.t1218.010
13    - detection.emerging-threats
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'regsvr32'
21            - '\AppData\Local\'
22            - '.dll'
23            - ',DllEntry'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

ÿØÿàJFIFÿÛC $.' ",#(7),01444'9=82<.342ÿÛC 2!!22222222222222222222222222222222222222222222222222ÿÂèë"ÿÄÿÄÿÚ ...

Read More

Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32

Sigma rule (View on GitHub)

References

Related rules