Potential Wazuh Security Platform DLL Sideloading
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
Sigma rule (View on GitHub)
1title: Potential Wazuh Security Platform DLL Sideloading
2id: db77ce78-7e28-4188-9337-cf30e2b3ba9f
3status: test
4description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
5references:
6 - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
7author: X__Junior (Nextron Systems)
8date: 2023/03/13
9modified: 2023/05/12
10tags:
11 - attack.defense_evasion
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1574.001
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded|endswith:
22 - '\libwazuhshared.dll'
23 - '\libwinpthread-1.dll'
24 filter_main_generic:
25 ImageLoaded|startswith:
26 - 'C:\Program Files\'
27 - 'C:\Program Files (x86)\'
28 filter_optional_mingw64:
29 # Note: Many third party apps installed in "AppData" or "ProgramData" and leverage "mingw64" make use of "libwinpthread-1.dll"
30 # In production its best to make a list of these apps and replace this filter with a specific one.
31 ImageLoaded|contains:
32 - '\AppData\Local\'
33 - '\ProgramData\'
34 ImageLoaded|endswith: '\mingw64\bin\libwinpthread-1.dll'
35 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
36falsepositives:
37 - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)
38level: medium
References
Related rules
- Potential Chrome Frame Helper DLL Sideloading
- Potential System DLL Sideloading From Non System Locations
- Potential DLL Sideloading Of DBGCORE.DLL
- Potential DLL Sideloading Of DBGHELP.DLL
- Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE