DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Sigma rule (View on GitHub)
1title: DHCP Server Loaded the CallOut DLL
2id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
3status: test
4description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
5references:
6 - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
7 - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
8 - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
9author: Dimitrios Slamaris
10date: 2017-05-15
11modified: 2022-12-25
12tags:
13 - attack.defense-evasion
14 - attack.t1574.002
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 EventID: 1033
21 Provider_Name: Microsoft-Windows-DHCP-Server
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DLL Names Used By SVR For GraphicalProton Backdoor