Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Sigma rule (View on GitHub)
1title: Aruba Network Service Potential DLL Sideloading
2id: 90ae0469-0cee-4509-b67f-e5efcef040f7
3status: test
4description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
5references:
6 - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-22
9modified: 2023-03-15
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1574.001
14 - attack.t1574.002
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\arubanetsvc.exe'
21 ImageLoaded|endswith:
22 - '\wtsapi32.dll'
23 - '\msvcr100.dll'
24 - '\msvcp100.dll'
25 - '\dbghelp.dll'
26 - '\dbgcore.dll'
27 - '\wininet.dll'
28 - '\iphlpapi.dll'
29 - '\version.dll'
30 - '\cryptsp.dll'
31 - '\cryptbase.dll'
32 - '\wldp.dll'
33 - '\profapi.dll'
34 - '\sspicli.dll'
35 - '\winsta.dll'
36 - '\dpapi.dll'
37 filter:
38 ImageLoaded|startswith:
39 - 'C:\Windows\System32\'
40 - 'C:\Windows\SysWOW64\'
41 - 'C:\Windows\WinSxS\'
42 condition: selection and not filter
43falsepositives:
44 - Unknown
45level: high
References
Related rules
- Creation Of Non-Existent System DLL
- DLL Sideloading Of ShellChromeAPI.DLL
- Microsoft Office DLL Sideload
- Potential 7za.DLL Sideloading
- Potential Antivirus Software DLL Sideloading