Diamond Sleet APT DLL Sideloading Indicators

Oct 28, 2023 · attack.defense_evasion attack.t1574.002 detection.emerging_threats ·

Detects DLL sideloading activity seen used by Diamond Sleet APT

Sigma rule (View on GitHub)

 1title: Diamond Sleet APT DLL Sideloading Indicators
 2id: d1b65d98-37d7-4ff6-b139-2d87c1af3042
 3status: experimental
 4description: Detects DLL sideloading activity seen used by Diamond Sleet APT
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/10/24
 9tags:
10    - attack.defense_evasion
11    - attack.t1574.002
12    - detection.emerging_threats
13logsource:
14    product: windows
15    category: image_load
16detection:
17    selection_1:
18        Image|endswith: ':\ProgramData\clip.exe'
19        ImageLoaded|endswith: ':\ProgramData\Version.dll'
20    selection_2:
21        Image|endswith: ':\ProgramData\wsmprovhost.exe'
22        ImageLoaded|endswith: ':\ProgramData\DSROLE.dll'
23    condition: 1 of selection_*
24falsepositives:
25    - Unlikely
26level: high

References

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

Read More

Diamond Sleet APT DLL Sideloading Indicators

Sigma rule (View on GitHub)

References

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

Related rules