DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
Sigma rule (View on GitHub)
1title: DLL Names Used By SVR For GraphicalProton Backdoor
2id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
3status: experimental
4description: Hunts known SVR-specific DLL names.
5references:
6 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
7author: CISA
8date: 2023/12/18
9tags:
10 - attack.defense_evasion
11 - attack.t1574.002
12logsource:
13 category: image_load
14 product: windows
15detection:
16 selection:
17 ImageLoaded|endswith:
18 - '\AclNumsInvertHost.dll'
19 - '\AddressResourcesSpec.dll'
20 - '\BlendMonitorStringBuild.dll'
21 - '\ChildPaletteConnected.dll'
22 - '\DeregisterSeekUsers.dll'
23 - '\HandleFrequencyAll.dll'
24 - '\HardSwapColor.dll'
25 - '\LengthInMemoryActivate.dll'
26 - '\ModeBitmapNumericAnimate.dll'
27 - '\ModeFolderSignMove.dll'
28 - '\ParametersNamesPopup.dll'
29 - '\PerformanceCaptionApi.dll'
30 - '\ScrollbarHandleGet.dll'
31 - '\UnregisterAncestorAppendAuto.dll'
32 - '\WowIcmpRemoveReg.dll'
33 condition: selection
34falsepositives:
35 - Unknown
36level: medium
References
-
title: Privilege information listing via whoami description: Detects whoami.exe execution and listing of privileges author: references: https://learn.microsoft.com/en-us/windows-server/administrat...
Read More
Related rules
- Creation Of Non-Existent System DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Potential DLL Sideloading Via VMware Xfer
- Potential DLL Sideloading Via DeviceEnroller.EXE
- Renamed Vmnat.exe Execution