Potential DLL Sideloading Via comctl32.dll
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Via comctl32.dll
2id: 6360757a-d460-456c-8b13-74cf0e60cceb
3status: test
4description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
5references:
6 - https://github.com/binderlabs/DirCreate2System
7 - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
8author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
9date: 2022/12/16
10modified: 2022/12/19
11tags:
12 - attack.defense_evasion
13 - attack.persistence
14 - attack.privilege_escalation
15 - attack.t1574.001
16 - attack.t1574.002
17logsource:
18 category: image_load
19 product: windows
20detection:
21 selection:
22 ImageLoaded|startswith:
23 - 'C:\Windows\System32\logonUI.exe.local\'
24 - 'C:\Windows\System32\werFault.exe.local\'
25 - 'C:\Windows\System32\consent.exe.local\'
26 - 'C:\Windows\System32\narrator.exe.local\'
27 - 'C:\windows\system32\wermgr.exe.local\'
28 ImageLoaded|endswith: '\comctl32.dll'
29 condition: selection
30falsepositives:
31 - Unlikely
32level: high
References
-
Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting - binderlabs/DirCreate2System
Read More -
collect for learning cases. Contribute to sailay1996/awesome_windows_logical_bugs development by creating an account on GitHub.
Read More
Related rules
- DLL Sideloading Of ShellChromeAPI.DLL
- Potential DLL Sideloading Via ClassicExplorer32.dll
- Potential DLL Sideloading Via JsSchHlp
- VMGuestLib DLL Sideload
- VMMap Signed Dbghelp.DLL Potential Sideloading