Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
Sigma rule (View on GitHub)
1title: Potential WWlib.DLL Sideloading
2id: e2e01011-5910-4267-9c3b-4149ed5479cf
3status: test
4description: Detects potential DLL sideloading of "wwlib.dll"
5references:
6 - https://twitter.com/WhichbufferArda/status/1658829954182774784
7 - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
8 - https://securelist.com/apt-luminousmoth/103332/
9author: X__Junior (Nextron Systems)
10date: 2023-05-18
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 ImageLoaded|endswith: '\wwlib.dll'
21 filter_main_path:
22 Image|startswith:
23 - 'C:\Program Files (x86)\Microsoft Office\'
24 - 'C:\Program Files\Microsoft Office\'
25 Image|endswith: '\winword.exe'
26 ImageLoaded|startswith:
27 - 'C:\Program Files (x86)\Microsoft Office\'
28 - 'C:\Program Files\Microsoft Office\'
29 condition: selection and not 1 of filter_main_*
30falsepositives:
31 - Unknown
32level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
A threat actor’s repeated use of DLL-hijack execution flow makes for interesting attack results, including omnivorous file ingestion; we break down five cases and find commonalities
Read More -
We recently came across unusual APT activity in South East Asia . Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Lazarus APT DLL Sideloading Activity
- Malicious DLL File Dropped in the Teams or OneDrive Folder