Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
Sigma rule (View on GitHub)
1title: Potential WWlib.DLL Sideloading
2id: e2e01011-5910-4267-9c3b-4149ed5479cf
3status: test
4description: Detects potential DLL sideloading of "wwlib.dll"
5references:
6 - https://twitter.com/WhichbufferArda/status/1658829954182774784
7 - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
8 - https://securelist.com/apt-luminousmoth/103332/
9author: X__Junior (Nextron Systems)
10date: 2023/05/18
11tags:
12 - attack.defense_evasion
13 - attack.privilege_escalation
14 - attack.t1574.001
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded|endswith: '\wwlib.dll'
22 filter_main_path:
23 Image|startswith:
24 - 'C:\Program Files (x86)\Microsoft Office\'
25 - 'C:\Program Files\Microsoft Office\'
26 Image|endswith: '\winword.exe'
27 ImageLoaded|startswith:
28 - 'C:\Program Files (x86)\Microsoft Office\'
29 - 'C:\Program Files\Microsoft Office\'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Unknown
33level: medium
References
-
-
A threat actor’s repeated use of DLL-hijack execution flow makes for interesting attack results, including omnivorous file ingestion; we break down five cases and find commonalities
Read More -
We recently came across unusual APT activity in South East Asia . Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.
Read More
Related rules
- Potential Chrome Frame Helper DLL Sideloading
- Potential Goopdate.DLL Sideloading
- Potential RoboForm.DLL Sideloading
- Potential SmadHook.DLL Sideloading
- Potential SolidPDFCreator.DLL Sideloading