Creation Of Non-Existent System DLL
Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.
Sigma rule (View on GitHub)
1title: Creation Of Non-Existent System DLL
2id: df6ecb8b-7822-4f4b-b412-08f524b4576c
3related:
4 - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
5 type: similar
6status: test
7description: |
8 Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories).
9 Usually this technique is used to achieve DLL hijacking.
10references:
11 - https://decoded.avast.io/martinchlumecky/png-steganography/
12 - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
13 - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
14 - https://github.com/Wh04m1001/SysmonEoP
15 - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
16 - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
17author: Nasreddine Bencherchali (Nextron Systems), fornotes
18date: 2022/12/01
19modified: 2024/01/10
20tags:
21 - attack.defense_evasion
22 - attack.persistence
23 - attack.privilege_escalation
24 - attack.t1574.001
25 - attack.t1574.002
26logsource:
27 product: windows
28 category: file_event
29detection:
30 selection:
31 TargetFilename|endswith:
32 - ':\Windows\System32\TSMSISrv.dll'
33 - ':\Windows\System32\TSVIPSrv.dll'
34 - ':\Windows\System32\wbem\wbemcomn.dll'
35 - ':\Windows\System32\WLBSCTRL.dll'
36 - ':\Windows\System32\wow64log.dll'
37 - ':\Windows\System32\WptsExtensions.dll'
38 - '\SprintCSP.dll'
39 condition: selection
40falsepositives:
41 - Unknown
42level: medium
References
Related rules
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Third Party Software DLL Sideloading
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via JsSchHlp