HackTool - SharpEvtMute DLL Load

Aug 12, 2024 · attack.defense-evasion attack.t1562.002 ·

Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs

Sigma rule (View on GitHub)

 1title: HackTool - SharpEvtMute DLL Load
 2id: 49329257-089d-46e6-af37-4afce4290685
 3related:
 4    - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation
 5      type: similar
 6status: test
 7description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
 8references:
 9    - https://github.com/bats3c/EvtMute
10author: Florian Roth (Nextron Systems)
11date: 2022-09-07
12modified: 2023-02-17
13tags:
14    - attack.defense-evasion
15    - attack.t1562.002
16logsource:
17    category: image_load
18    product: windows
19detection:
20    selection:
21        - Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
22        - Imphash: '330768a4f172e10acb6287b87289d83b'
23    condition: selection
24falsepositives:
25    - Other DLLs with the same Imphash
26level: high

References

GitHub - bats3c/EvtMute: Apply a filter to the events being reported by windows event logging

Apply a filter to the events being reported by windows event logging - bats3c/EvtMute

Read More

HackTool - SharpEvtMute DLL Load

Sigma rule (View on GitHub)

References

GitHub - bats3c/EvtMute: Apply a filter to the events being reported by windows event logging

Related rules