Potential DLL Sideloading Via comctl32.dll
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via comctl32.dll
2id: 6360757a-d460-456c-8b13-74cf0e60cceb
3status: test
4description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
5references:
6 - https://github.com/binderlabs/DirCreate2System
7 - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
8author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
9date: 2022-12-16
10modified: 2022-12-19
11tags:
12 - attack.defense-evasion
13 - attack.persistence
14 - attack.privilege-escalation
15 - attack.t1574.001
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded|startswith:
22 - 'C:\Windows\System32\logonUI.exe.local\'
23 - 'C:\Windows\System32\werFault.exe.local\'
24 - 'C:\Windows\System32\consent.exe.local\'
25 - 'C:\Windows\System32\narrator.exe.local\'
26 - 'C:\windows\system32\wermgr.exe.local\'
27 ImageLoaded|endswith: '\comctl32.dll'
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
References
-
Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting - binderlabs/DirCreate2System
Read More -
collect for learning cases. Contribute to sailay1996/awesome_windows_logical_bugs development by creating an account on GitHub.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload