Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
Sigma rule (View on GitHub)
1title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
2id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
3status: test
4description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
5references:
6 - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
7author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
8date: 2019/10/02
9modified: 2023/03/29
10tags:
11 - attack.defense_evasion
12 - attack.t1218.010
13 - detection.emerging_threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'regsvr32'
21 - '\AppData\Local\'
22 - '.dll'
23 - ',DllEntry'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- COLDSTEEL Persistence Service Creation
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Exploit for CVE-2015-1641