Creation Of Non-Existent System DLL

 1title: Creation Of Non-Existent System DLL
 2id: df6ecb8b-7822-4f4b-b412-08f524b4576c
 3related:
 4    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
 5      type: similar
 6status: test
 7description: |
 8    Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories).
 9    Usually this technique is used to achieve DLL hijacking.    
10references:
11    - https://decoded.avast.io/martinchlumecky/png-steganography/
12    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
13    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
14    - https://github.com/Wh04m1001/SysmonEoP
15    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
16    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
17author: Nasreddine Bencherchali (Nextron Systems), fornotes
18date: 2022-12-01
19modified: 2024-01-10
20tags:
21    - attack.defense-evasion
22    - attack.persistence
23    - attack.privilege-escalation
24    - attack.t1574.001
25logsource:
26    product: windows
27    category: file_event
28detection:
29    selection:
30        TargetFilename|endswith:
31            - ':\Windows\System32\TSMSISrv.dll'
32            - ':\Windows\System32\TSVIPSrv.dll'
33            - ':\Windows\System32\wbem\wbemcomn.dll'
34            - ':\Windows\System32\WLBSCTRL.dll'
35            - ':\Windows\System32\wow64log.dll'
36            - ':\Windows\System32\WptsExtensions.dll'
37            - '\SprintCSP.dll'
38    condition: selection
39falsepositives:
40    - Unknown
41level: medium
42regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml

References

• PNG Steganography Hides Backdoor

  

  Unveiling Advanced PNG Steganography in Worok Malware Campaign

  
  Read More

• Blog - SpecterOps

  

  Your new best friend: Introducing BloodHound Community Edition!

  
  Read More

• CVE-2020-7315 McAfee Agent DLL injection | Clément Notin | Blog

  

  DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee passwordThe macompatsvc.exe...

  
  Read More

• GitHub - Wh04m1001/SysmonEoP

  

  Contribute to Wh04m1001/SysmonEoP development by creating an account on GitHub.

  
  Read More

• Beyond good ol’ Run key, Part 5

  Time for the 5th part. Today it’s about the Phantom DLLs Hijacking (do not confuse it with ‘DLL Search Order Hijacking’ where order in which paths are searched for is abused). Windows is a huge ope...

  
  Read More

• redteam-research/LPE via StorSvc at 26e6fc0c0d30d364758fa11c2922064a9a7fd309 · blackarrowsec/redteam-research

  

  Collection of PoC and offensive techniques used by the BlackArrow Red Team - blackarrowsec/redteam-research

  
  Read More

Related rules

• Unsigned .node File Loaded
• Potential PlugX Activity
• Tasks Folder Evasion
• APT27 - Emissary Panda Activity
• Aruba Network Service Potential DLL Sideloading