Fax Service DLL Search Order Hijack
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Sigma rule (View on GitHub)
1title: Fax Service DLL Search Order Hijack
2id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
3status: test
4description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
5references:
6 - https://windows-internals.com/faxing-your-way-to-system/
7author: NVISO
8date: 2020/05/04
9modified: 2022/06/02
10tags:
11 - attack.persistence
12 - attack.defense_evasion
13 - attack.t1574.001
14 - attack.t1574.002
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\fxssvc.exe'
21 ImageLoaded|endswith: 'ualapi.dll'
22 filter:
23 ImageLoaded|startswith: 'C:\Windows\WinSxS\'
24 condition: selection and not filter
25falsepositives:
26 - Unlikely
27level: high
References
-
“Part two?”, you ask. “Where’s part one?”, you wonder. In this blog post, we are doing things backwards — first publishing a Part Two, with a theoretical “What if?” scenario, and then we’ll follow ...
Read More
Related rules
- UAC Bypass With Fake DLL
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- DNS Server Error Failed Loading the ServerLevelPluginDLL
- Xwizard DLL Sideloading
- Okta MFA Reset or Deactivated