Potential DLL Sideloading Via comctl32.dll

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Sigma rule (View on GitHub)

 1title: Potential DLL Sideloading Via comctl32.dll
 2id: 6360757a-d460-456c-8b13-74cf0e60cceb
 3status: test
 4description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
 5references:
 6    - https://github.com/binderlabs/DirCreate2System
 7    - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
 8author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
 9date: 2022-12-16
10modified: 2022-12-19
11tags:
12    - attack.defense-evasion
13    - attack.persistence
14    - attack.privilege-escalation
15    - attack.t1574.001
16    - attack.t1574.002
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        ImageLoaded|startswith:
23            - 'C:\Windows\System32\logonUI.exe.local\'
24            - 'C:\Windows\System32\werFault.exe.local\'
25            - 'C:\Windows\System32\consent.exe.local\'
26            - 'C:\Windows\System32\narrator.exe.local\'
27            - 'C:\windows\system32\wermgr.exe.local\'
28        ImageLoaded|endswith: '\comctl32.dll'
29    condition: selection
30falsepositives:
31    - Unlikely
32level: high

References

Related rules

to-top