Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
Sigma rule (View on GitHub)
1title: Malicious DLL File Dropped in the Teams or OneDrive Folder
2id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
3status: test
4description: |
5 Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
6 Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
7references:
8 - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
9author: frack113
10date: 2022-08-12
11tags:
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.execution
15 - attack.stealth
16 - attack.t1574.001
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 TargetFilename|contains|all:
23 - 'iphlpapi.dll'
24 - '\AppData\Local\Microsoft'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation