Files With System DLL Name In Unsuspected Locations

 1title: Files With System DLL Name In Unsuspected Locations
 2id: 13c02350-4177-4e45-ac17-cf7ca628ff5e
 3status: test
 4description: |
 5    Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
 6    It is highly recommended to perform an initial baseline before using this rule in production.    
 7references:
 8    - Internal Research
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-06-24
11tags:
12    - attack.defense-evasion
13    - attack.t1036.005
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection:
19        TargetFilename|endswith:
20            # Note: Add more System DLL that can be abused for DLL sideloading to increase coverage
21            - '\secur32.dll'
22            - '\tdh.dll'
23    filter_main_generic:
24        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
25        TargetFilename|contains:
26            # - '\SystemRoot\System32\'
27            - 'C:\$WINDOWS.~BT\'
28            - 'C:\$WinREAgent\'
29            - 'C:\Windows\SoftwareDistribution\'
30            - 'C:\Windows\System32\'
31            - 'C:\Windows\SysWOW64\'
32            - 'C:\Windows\WinSxS\'
33            - 'C:\Windows\uus\'
34    condition: selection and not 1 of filter_main_*
35falsepositives:
36    - Third party software might bundle specific versions of system DLLs.
37# Note: Upgrade to high after an initial baseline to your environement.
38level: medium
39regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml