DLL Names Used By SVR For GraphicalProton Backdoor

Hunts known SVR-specific DLL names.

Sigma rule (View on GitHub)

 1title: DLL Names Used By SVR For GraphicalProton Backdoor
 2id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
 3status: experimental
 4description: Hunts known SVR-specific DLL names.
 5references:
 6    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
 7author: CISA
 8date: 2023-12-18
 9tags:
10    - attack.defense-evasion
11    - attack.t1574.002
12logsource:
13    category: image_load
14    product: windows
15detection:
16    selection:
17        ImageLoaded|endswith:
18            - '\AclNumsInvertHost.dll'
19            - '\AddressResourcesSpec.dll'
20            - '\BlendMonitorStringBuild.dll'
21            - '\ChildPaletteConnected.dll'
22            - '\DeregisterSeekUsers.dll'
23            - '\HandleFrequencyAll.dll'
24            - '\HardSwapColor.dll'
25            - '\LengthInMemoryActivate.dll'
26            - '\ModeBitmapNumericAnimate.dll'
27            - '\ModeFolderSignMove.dll'
28            - '\ParametersNamesPopup.dll'
29            - '\PerformanceCaptionApi.dll'
30            - '\ScrollbarHandleGet.dll'
31            - '\UnregisterAncestorAppendAuto.dll'
32            - '\WowIcmpRemoveReg.dll'
33    condition: selection
34falsepositives:
35    - Unknown
36level: medium

References

Related rules

to-top