DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
Sigma rule (View on GitHub)
1title: DLL Names Used By SVR For GraphicalProton Backdoor
2id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
3status: test
4description: Hunts known SVR-specific DLL names.
5references:
6 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
7author: CISA
8date: 2023-12-18
9tags:
10 - attack.defense-evasion
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1574.001
14 - detection.emerging-threats
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 ImageLoaded|endswith:
21 - '\AclNumsInvertHost.dll'
22 - '\AddressResourcesSpec.dll'
23 - '\BlendMonitorStringBuild.dll'
24 - '\ChildPaletteConnected.dll'
25 - '\DeregisterSeekUsers.dll'
26 - '\HandleFrequencyAll.dll'
27 - '\HardSwapColor.dll'
28 - '\LengthInMemoryActivate.dll'
29 - '\ModeBitmapNumericAnimate.dll'
30 - '\ModeFolderSignMove.dll'
31 - '\ParametersNamesPopup.dll'
32 - '\PerformanceCaptionApi.dll'
33 - '\ScrollbarHandleGet.dll'
34 - '\UnregisterAncestorAppendAuto.dll'
35 - '\WowIcmpRemoveReg.dll'
36 condition: selection
37falsepositives:
38 - Unknown
39level: medium
References
-
SUMMARY The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service ...
Read More
Related rules
- APT27 - Emissary Panda Activity
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity
- Pingback Backdoor Activity
- Pingback Backdoor DLL Loading Activity