Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Sigma rule (View on GitHub)
1title: Aruba Network Service Potential DLL Sideloading
2id: 90ae0469-0cee-4509-b67f-e5efcef040f7
3status: test
4description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
5references:
6 - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-01-22
9modified: 2023-03-15
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1574.001
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\arubanetsvc.exe'
20 ImageLoaded|endswith:
21 - '\wtsapi32.dll'
22 - '\msvcr100.dll'
23 - '\msvcp100.dll'
24 - '\dbghelp.dll'
25 - '\dbgcore.dll'
26 - '\wininet.dll'
27 - '\iphlpapi.dll'
28 - '\version.dll'
29 - '\cryptsp.dll'
30 - '\cryptbase.dll'
31 - '\wldp.dll'
32 - '\profapi.dll'
33 - '\sspicli.dll'
34 - '\winsta.dll'
35 - '\dpapi.dll'
36 filter:
37 ImageLoaded|startswith:
38 - 'C:\Windows\System32\'
39 - 'C:\Windows\SysWOW64\'
40 - 'C:\Windows\WinSxS\'
41 condition: selection and not filter
42falsepositives:
43 - Unknown
44level: high
References
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload