Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Sigma rule (View on GitHub)
1title: Aruba Network Service Potential DLL Sideloading
2id: 90ae0469-0cee-4509-b67f-e5efcef040f7
3status: test
4description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
5references:
6 - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-22
9modified: 2023-03-15
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\arubanetsvc.exe'
21 ImageLoaded|endswith:
22 - '\wtsapi32.dll'
23 - '\msvcr100.dll'
24 - '\msvcp100.dll'
25 - '\dbghelp.dll'
26 - '\dbgcore.dll'
27 - '\wininet.dll'
28 - '\iphlpapi.dll'
29 - '\version.dll'
30 - '\cryptsp.dll'
31 - '\cryptbase.dll'
32 - '\wldp.dll'
33 - '\profapi.dll'
34 - '\sspicli.dll'
35 - '\winsta.dll'
36 - '\dpapi.dll'
37 filter:
38 ImageLoaded|startswith:
39 - 'C:\Windows\System32\'
40 - 'C:\Windows\SysWOW64\'
41 - 'C:\Windows\WinSxS\'
42 condition: selection and not filter
43falsepositives:
44 - Unknown
45level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- APT27 - Emissary Panda Activity
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL
- DLL Names Used By SVR For GraphicalProton Backdoor