Potential WWlib.DLL Sideloading

 1title: Potential WWlib.DLL Sideloading
 2id: e2e01011-5910-4267-9c3b-4149ed5479cf
 3status: test
 4description: Detects potential DLL sideloading of "wwlib.dll"
 5references:
 6    - https://twitter.com/WhichbufferArda/status/1658829954182774784
 7    - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
 8    - https://securelist.com/apt-luminousmoth/103332/
 9author: X__Junior (Nextron Systems)
10date: 2023-05-18
11tags:
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - attack.t1574.001
15    - attack.t1574.002
16logsource:
17    category: image_load
18    product: windows
19detection:
20    selection:
21        ImageLoaded|endswith: '\wwlib.dll'
22    filter_main_path:
23        Image|startswith:
24            - 'C:\Program Files (x86)\Microsoft Office\'
25            - 'C:\Program Files\Microsoft Office\'
26        Image|endswith: '\winword.exe'
27        ImageLoaded|startswith:
28            - 'C:\Program Files (x86)\Microsoft Office\'
29            - 'C:\Program Files\Microsoft Office\'
30    condition: selection and not 1 of filter_main_*
31falsepositives:
32    - Unknown
33level: medium

References

• x.com

  
  Read More

• Family Tree: DLL-Sideloading Cases May Be Related

  

  A threat actor’s repeated use of DLL-hijack execution flow makes for interesting attack results, including omnivorous file ingestion; we break down five cases and find commonalities

  
  Read More

• LuminousMoth APT: Sweeping attacks for the chosen few

  

  We recently came across unusual APT activity in South East Asia . Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

  
  Read More

Related rules

• Creation Of Non-Existent System DLL
• DLL Sideloading Of ShellChromeAPI.DLL
• Microsoft Office DLL Sideload
• Potential 7za.DLL Sideloading
• Potential AVKkid.DLL Sideloading