DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
Sigma rule (View on GitHub)
1title: DLL Names Used By SVR For GraphicalProton Backdoor
2id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
3status: test
4description: Hunts known SVR-specific DLL names.
5references:
6 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
7author: CISA
8date: 2023-12-18
9tags:
10 - attack.defense-evasion
11 - attack.t1574.002
12 - detection.emerging-threats
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 ImageLoaded|endswith:
19 - '\AclNumsInvertHost.dll'
20 - '\AddressResourcesSpec.dll'
21 - '\BlendMonitorStringBuild.dll'
22 - '\ChildPaletteConnected.dll'
23 - '\DeregisterSeekUsers.dll'
24 - '\HandleFrequencyAll.dll'
25 - '\HardSwapColor.dll'
26 - '\LengthInMemoryActivate.dll'
27 - '\ModeBitmapNumericAnimate.dll'
28 - '\ModeFolderSignMove.dll'
29 - '\ParametersNamesPopup.dll'
30 - '\PerformanceCaptionApi.dll'
31 - '\ScrollbarHandleGet.dll'
32 - '\UnregisterAncestorAppendAuto.dll'
33 - '\WowIcmpRemoveReg.dll'
34 condition: selection
35falsepositives:
36 - Unknown
37level: medium
yaml
References
-
SUMMARY The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service ...
Read More
Related rules
- Potential Raspberry Robin Aclui Dll SideLoading
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity
- APT27 - Emissary Panda Activity
- Potential PlugX Activity