Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
Sigma rule (View on GitHub)
1title: Malicious DLL File Dropped in the Teams or OneDrive Folder
2id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
3status: test
4description: |
5 Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
6 Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
7references:
8 - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
9author: frack113
10date: 2022-08-12
11tags:
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.defense-evasion
15 - attack.t1574.002
16logsource:
17 category: file_event
18 product: windows
19detection:
20 selection:
21 TargetFilename|contains|all:
22 - 'iphlpapi.dll'
23 - '\AppData\Local\Microsoft'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
Cyble Analyzes how Threat Actors are leveraging Microsoft applications and DLL Sideloading to deliver Cobalt Strike Beacons
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading