Creation Of Non-Existent System DLL

 1title: Creation Of Non-Existent System DLL
 2id: df6ecb8b-7822-4f4b-b412-08f524b4576c
 3related:
 4    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
 5      type: similar
 6status: test
 7description: |
 8    Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories).
 9    Usually this technique is used to achieve DLL hijacking.    
10references:
11    - https://decoded.avast.io/martinchlumecky/png-steganography/
12    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
13    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
14    - https://github.com/Wh04m1001/SysmonEoP
15    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
16    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
17author: Nasreddine Bencherchali (Nextron Systems), fornotes
18date: 2022/12/01
19modified: 2024/01/10
20tags:
21    - attack.defense_evasion
22    - attack.persistence
23    - attack.privilege_escalation
24    - attack.t1574.001
25    - attack.t1574.002
26logsource:
27    product: windows
28    category: file_event
29detection:
30    selection:
31        TargetFilename|endswith:
32            - ':\Windows\System32\TSMSISrv.dll'
33            - ':\Windows\System32\TSVIPSrv.dll'
34            - ':\Windows\System32\wbem\wbemcomn.dll'
35            - ':\Windows\System32\WLBSCTRL.dll'
36            - ':\Windows\System32\wow64log.dll'
37            - ':\Windows\System32\WptsExtensions.dll'
38            - '\SprintCSP.dll'
39    condition: selection
40falsepositives:
41    - Unknown
42level: medium

References

• PNG Steganography Hides Backdoor - Avast Threat Labs

  

  Our deep analysis of the Worok toolset (previously described by ESET Research) reveals the final stage, hidden in a PNG file, that steals data and provides a multifunctional backdoor using the DropBox repository and API.

  
  Read More

• Lateral Movement — SCM and Dll Hijacking Primer

  

  Using the Service Control Manager and built-in services for lateral movement.

  
  Read More

• CVE-2020-7315 McAfee Agent DLL injection | Clément Notin | Blog

  

  DLL injection in McAfee Agent allowing a local administrator to kill the antivirus, or tamper with it, without knowing the McAfee passwordThe macompatsvc.exe...

  
  Read More

• GitHub - Wh04m1001/SysmonEoP

  

  Contribute to Wh04m1001/SysmonEoP development by creating an account on GitHub.

  
  Read More

• Beyond good ol’ Run key, Part 5

  Time for the 5th part. Today it’s about the Phantom DLLs Hijacking (do not confuse it with ‘DLL Search Order Hijacking’ where order in which paths are searched for is abused). Windows is a huge ope...

  
  Read More

• redteam-research/LPE via StorSvc at 26e6fc0c0d30d364758fa11c2922064a9a7fd309 · blackarrowsec/redteam-research

  

  Collection of PoC and offensive techniques used by the BlackArrow Red Team - blackarrowsec/redteam-research

  
  Read More

Related rules

• Potential DLL Sideloading Of Non-Existent DLLs From System Folders
• Third Party Software DLL Sideloading
• DLL Sideloading Of ShellChromeAPI.DLL
• Potential DLL Sideloading Via ClassicExplorer32.dll
• Potential DLL Sideloading Via JsSchHlp