Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Sigma rule (View on GitHub)
1title: Diamond Sleet APT DLL Sideloading Indicators
2id: d1b65d98-37d7-4ff6-b139-2d87c1af3042
3status: test
4description: Detects DLL sideloading activity seen used by Diamond Sleet APT
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-10-24
9tags:
10 - attack.defense-evasion
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1574.001
14 - detection.emerging-threats
15logsource:
16 product: windows
17 category: image_load
18detection:
19 selection_1:
20 Image|endswith: ':\ProgramData\clip.exe'
21 ImageLoaded|endswith: ':\ProgramData\Version.dll'
22 selection_2:
23 Image|endswith: ':\ProgramData\wsmprovhost.exe'
24 ImageLoaded|endswith: ':\ProgramData\DSROLE.dll'
25 condition: 1 of selection_*
26falsepositives:
27 - Unlikely
28level: high
References
-
Microsoft has observed North Korean threat actors Diamond Sleet and Onyx Sleet exploiting Jet Brains TeamCity CVE-2023-42793 vulnerability.
Read More
Related rules
- APT27 - Emissary Panda Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Lazarus APT DLL Sideloading Activity
- Pingback Backdoor Activity
- Pingback Backdoor DLL Loading Activity