Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32

 1title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
 2id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
 3status: test
 4description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
 5references:
 6    - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
 7author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 8date: 2019/10/02
 9modified: 2023/03/29
10tags:
11    - attack.defense_evasion
12    - attack.t1218.010
13    - detection.emerging_threats
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'regsvr32'
21            - '\AppData\Local\'
22            - '.dll'
23            - ',DllEntry'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

• ÿØÿàJFIF
  
  
  
  ÿÛC     $.' ",#(7),01444'9=82<.342ÿÛC
    2!!22222222222222222222222222222222222222222222222222ÿÂèë
  "
  
  ÿÄ
  
  
  
  
  
  
  
  ÿÄ
  
  
  
  
  
  
  
  ÿÚ 
  ...

  
  Read More

Related rules

• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity
• COLDSTEEL Persistence Service Creation
• EvilNum APT Golden Chickens Deployment Via OCX Files
• Exploit for CVE-2015-1641