Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Sigma rule (View on GitHub)
1title: Diamond Sleet APT DLL Sideloading Indicators
2id: d1b65d98-37d7-4ff6-b139-2d87c1af3042
3status: test
4description: Detects DLL sideloading activity seen used by Diamond Sleet APT
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-10-24
9tags:
10 - attack.defense-evasion
11 - attack.t1574.002
12 - detection.emerging-threats
13logsource:
14 product: windows
15 category: image_load
16detection:
17 selection_1:
18 Image|endswith: ':\ProgramData\clip.exe'
19 ImageLoaded|endswith: ':\ProgramData\Version.dll'
20 selection_2:
21 Image|endswith: ':\ProgramData\wsmprovhost.exe'
22 ImageLoaded|endswith: ':\ProgramData\DSROLE.dll'
23 condition: 1 of selection_*
24falsepositives:
25 - Unlikely
26level: high
References
-
Microsoft has observed North Korean threat actors Diamond Sleet and Onyx Sleet exploiting Jet Brains TeamCity CVE-2023-42793 vulnerability.
Read More
Related rules
- Lazarus APT DLL Sideloading Activity
- APT27 - Emissary Panda Activity
- Potential PlugX Activity
- Potential Raspberry Robin Aclui Dll SideLoading
- Winnti Malware HK University Campaign