Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Sigma rule (View on GitHub)
1title: Aruba Network Service Potential DLL Sideloading
2id: 90ae0469-0cee-4509-b67f-e5efcef040f7
3status: test
4description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
5references:
6 - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/01/22
9modified: 2023/03/15
10tags:
11 - attack.privilege_escalation
12 - attack.persistence
13 - attack.t1574.001
14 - attack.t1574.002
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\arubanetsvc.exe'
21 ImageLoaded|endswith:
22 - '\wtsapi32.dll'
23 - '\msvcr100.dll'
24 - '\msvcp100.dll'
25 - '\dbghelp.dll'
26 - '\dbgcore.dll'
27 - '\wininet.dll'
28 - '\iphlpapi.dll'
29 - '\version.dll'
30 - '\cryptsp.dll'
31 - '\cryptbase.dll'
32 - '\wldp.dll'
33 - '\profapi.dll'
34 - '\sspicli.dll'
35 - '\winsta.dll'
36 - '\dpapi.dll'
37 filter:
38 ImageLoaded|startswith:
39 - 'C:\Windows\System32\'
40 - 'C:\Windows\SysWOW64\'
41 - 'C:\Windows\WinSxS\'
42 condition: selection and not filter
43falsepositives:
44 - Unknown
45level: high
References
Related rules
- Microsoft Office DLL Sideload
- Potential Antivirus Software DLL Sideloading
- Creation Of Non-Existent System DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Third Party Software DLL Sideloading