Diamond Sleet APT DLL Sideloading Indicators

Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.001 detection.emerging-threats ·

Share on:

Detects DLL sideloading activity seen used by Diamond Sleet APT

Sigma rule (View on GitHub)

 1title: Diamond Sleet APT DLL Sideloading Indicators
 2id: d1b65d98-37d7-4ff6-b139-2d87c1af3042
 3status: test
 4description: Detects DLL sideloading activity seen used by Diamond Sleet APT
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-10-24
 9tags:
10    - attack.persistence
11    - attack.privilege-escalation
12    - attack.execution
13    - attack.stealth
14    - attack.t1574.001
15    - detection.emerging-threats
16logsource:
17    product: windows
18    category: image_load
19detection:
20    selection_1:
21        Image|endswith: ':\ProgramData\clip.exe'
22        ImageLoaded|endswith: ':\ProgramData\Version.dll'
23    selection_2:
24        Image|endswith: ':\ProgramData\wsmprovhost.exe'
25        ImageLoaded|endswith: ':\ProgramData\DSROLE.dll'
26    condition: 1 of selection_*
27falsepositives:
28    - Unlikely
29level: high

References

Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability | Microsoft Security Blog

Microsoft has observed North Korean threat actors Diamond Sleet and Onyx Sleet exploiting Jet Brains TeamCity CVE-2023-42793 vulnerability.

Read More

Diamond Sleet APT DLL Sideloading Indicators

Sigma rule (View on GitHub)

References

Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability | Microsoft Security Blog

Related rules