Abusable DLL Potential Sideloading From Suspicious Location

 1title: Abusable DLL Potential Sideloading From Suspicious Location
 2id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
 3status: test
 4description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
 5references:
 6    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
 7    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
 8author: X__Junior (Nextron Systems)
 9date: 2023/07/11
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection_dll:
18        ImageLoaded|endswith:
19            # Note: Add more generic DLLs that cannot be pin-pointed to a single application
20            - '\coreclr.dll'
21            - '\facesdk.dll'
22            - '\HPCustPartUI.dll'
23            - '\libcef.dll'
24            - '\ZIPDLL.dll'
25    selection_folders_1:
26        ImageLoaded|contains:
27            - ':\Perflogs\'
28            - ':\Users\Public\'
29            - '\Temporary Internet'
30            - '\Windows\Temp\'
31    selection_folders_2:
32        - ImageLoaded|contains|all:
33              - ':\Users\'
34              - '\Favorites\'
35        - ImageLoaded|contains|all:
36              - ':\Users\'
37              - '\Favourites\'
38        - ImageLoaded|contains|all:
39              - ':\Users\'
40              - '\Contacts\'
41        - ImageLoaded|contains|all:
42              - ':\Users\'
43              - '\Pictures\'
44    condition: selection_dll and 1 of selection_folders_*
45falsepositives:
46    - Unknown
47level: high

References

• Behind the Scenes Unveiling the Hidden Workings of Earth Preta

  

  This blog entry discusses the more technical details on the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group, and tackles how we were able to correlate different indicators connected to this threat actor.

  
  Read More

• Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives - Check Point Research

  

  Executive summary Introduction In early 2023, CPIRT investigated an incident at a European hospital. The investigation showed that the malicious activity observed was likely not targeted but was simply collateral damage from Camaro Dragon’s self-propagating malware infections spreading via USB drives. Camaro Dragon is a Chinese-based espionage threat actor whose operations are actively focused on […]

  
  Read More

Related rules

• VMToolsd Suspicious Child Process
• DarkGate - Drop DarkGate Loader In C:\Temp Directory
• Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
• Python Spawning Pretty TTY
• Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script