Aruba Network Service Potential DLL Sideloading

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Sigma rule (View on GitHub)

 1title: Aruba Network Service Potential DLL Sideloading
 2id: 90ae0469-0cee-4509-b67f-e5efcef040f7
 3status: test
 4description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
 5references:
 6    - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-01-22
 9modified: 2023-03-15
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.t1574.001
14logsource:
15    category: image_load
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\arubanetsvc.exe'
20        ImageLoaded|endswith:
21            - '\wtsapi32.dll'
22            - '\msvcr100.dll'
23            - '\msvcp100.dll'
24            - '\dbghelp.dll'
25            - '\dbgcore.dll'
26            - '\wininet.dll'
27            - '\iphlpapi.dll'
28            - '\version.dll'
29            - '\cryptsp.dll'
30            - '\cryptbase.dll'
31            - '\wldp.dll'
32            - '\profapi.dll'
33            - '\sspicli.dll'
34            - '\winsta.dll'
35            - '\dpapi.dll'
36    filter:
37        ImageLoaded|startswith:
38            - 'C:\Windows\System32\'
39            - 'C:\Windows\SysWOW64\'
40            - 'C:\Windows\WinSxS\'
41    condition: selection and not filter
42falsepositives:
43    - Unknown
44level: high

References

Related rules

to-top