Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
2id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e
3status: test
4description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
5references:
6 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/05
9tags:
10 - attack.defense_evasion
11 - attack.persistence
12 - attack.privilege_escalation
13 - attack.t1574.001
14 - attack.t1574.002
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\gup.exe'
21 ImageLoaded|endswith: '\libcurl.dll'
22 filter_main_notepad_plusplus:
23 Image|endswith: '\Notepad++\updater\GUP.exe'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Unknown
27level: medium
References
-
WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.
Read More
Related rules
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential DLL Sideloading Of DBGHELP.DLL
- Potential Libvlc.DLL Sideloading
- Microsoft Office DLL Sideload
- Potential Antivirus Software DLL Sideloading