DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
Sigma rule (View on GitHub)
1title: DLL Names Used By SVR For GraphicalProton Backdoor
2id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
3status: experimental
4description: Hunts known SVR-specific DLL names.
5references:
6 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
7author: CISA
8date: 2023-12-18
9tags:
10 - attack.defense-evasion
11 - attack.t1574.002
12logsource:
13 category: image_load
14 product: windows
15detection:
16 selection:
17 ImageLoaded|endswith:
18 - '\AclNumsInvertHost.dll'
19 - '\AddressResourcesSpec.dll'
20 - '\BlendMonitorStringBuild.dll'
21 - '\ChildPaletteConnected.dll'
22 - '\DeregisterSeekUsers.dll'
23 - '\HandleFrequencyAll.dll'
24 - '\HardSwapColor.dll'
25 - '\LengthInMemoryActivate.dll'
26 - '\ModeBitmapNumericAnimate.dll'
27 - '\ModeFolderSignMove.dll'
28 - '\ParametersNamesPopup.dll'
29 - '\PerformanceCaptionApi.dll'
30 - '\ScrollbarHandleGet.dll'
31 - '\UnregisterAncestorAppendAuto.dll'
32 - '\WowIcmpRemoveReg.dll'
33 condition: selection
34falsepositives:
35 - Unknown
36level: medium
References
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL