Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded
Sigma rule (View on GitHub)
1title: Malicious DLL File Dropped in the Teams or OneDrive Folder
2id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
3status: test
4description: |
5 Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
6 Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded
7references:
8 - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
9author: frack113
10date: 2022/08/12
11tags:
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.defense_evasion
15 - attack.t1574.002
16logsource:
17 category: file_event
18 product: windows
19detection:
20 selection:
21 TargetFilename|contains|all:
22 - 'iphlpapi.dll'
23 - '\AppData\Local\Microsoft'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
Cyble Analyzes how Threat Actors are leveraging Microsoft applications and DLL Sideloading to deliver Cobalt Strike Beacons
Read More
Related rules
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via JsSchHlp
- Potential DLL Sideloading Via comctl32.dll