DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
Sigma rule (View on GitHub)
1title: DLL Search Order Hijackig Via Additional Space in Path
2id: b6f91281-20aa-446a-b986-38a92813a18f
3status: test
4description: |
5 Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
6 but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
7references:
8 - https://twitter.com/cyb3rops/status/1552932770464292864
9 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
10author: frack113, Nasreddine Bencherchali (Nextron Systems)
11date: 2022-07-30
12tags:
13 - attack.persistence
14 - attack.privilege-escalation
15 - attack.execution
16 - attack.stealth
17 - attack.t1574.001
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection:
23 TargetFilename|startswith:
24 - 'C:\Windows \'
25 - 'C:\Program Files \'
26 - 'C:\Program Files (x86) \'
27 TargetFilename|endswith: '.dll'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation