DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
Sigma rule (View on GitHub)
1title: DLL Names Used By SVR For GraphicalProton Backdoor
2id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
3status: test
4description: Hunts known SVR-specific DLL names.
5references:
6 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
7author: CISA
8date: 2023-12-18
9tags:
10 - attack.persistence
11 - attack.privilege-escalation
12 - attack.execution
13 - attack.stealth
14 - attack.t1574.001
15 - detection.emerging-threats
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded|endswith:
22 - '\AclNumsInvertHost.dll'
23 - '\AddressResourcesSpec.dll'
24 - '\BlendMonitorStringBuild.dll'
25 - '\ChildPaletteConnected.dll'
26 - '\DeregisterSeekUsers.dll'
27 - '\HandleFrequencyAll.dll'
28 - '\HardSwapColor.dll'
29 - '\LengthInMemoryActivate.dll'
30 - '\ModeBitmapNumericAnimate.dll'
31 - '\ModeFolderSignMove.dll'
32 - '\ParametersNamesPopup.dll'
33 - '\PerformanceCaptionApi.dll'
34 - '\ScrollbarHandleGet.dll'
35 - '\UnregisterAncestorAppendAuto.dll'
36 - '\WowIcmpRemoveReg.dll'
37 condition: selection
38falsepositives:
39 - Unknown
40level: medium
References
-
SUMMARY The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service ...
Read More
Related rules
- APT27 - Emissary Panda Activity
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity
- Pingback Backdoor Activity
- Pingback Backdoor DLL Loading Activity