Potential WWlib.DLL Sideloading

 1title: Potential WWlib.DLL Sideloading
 2id: e2e01011-5910-4267-9c3b-4149ed5479cf
 3status: test
 4description: Detects potential DLL sideloading of "wwlib.dll"
 5references:
 6    - https://twitter.com/WhichbufferArda/status/1658829954182774784
 7    - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
 8    - https://securelist.com/apt-luminousmoth/103332/
 9author: X__Junior (Nextron Systems)
10date: 2023-05-18
11tags:
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.execution
15    - attack.stealth
16    - attack.t1574.001
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        ImageLoaded|endswith: '\wwlib.dll'
23    filter_main_path:
24        Image|startswith:
25            - 'C:\Program Files (x86)\Microsoft Office\'
26            - 'C:\Program Files\Microsoft Office\'
27        Image|endswith: '\winword.exe'
28        ImageLoaded|startswith:
29            - 'C:\Program Files (x86)\Microsoft Office\'
30            - 'C:\Program Files\Microsoft Office\'
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - Unknown
34level: medium

References

• https://twitter.com/WhichbufferArda/status/1658829954182774784

  
  Read More

• https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/

  
  Read More

• https://securelist.com/apt-luminousmoth/103332/

  
  Read More

Related rules

• APT27 - Emissary Panda Activity
• Aruba Network Service Potential DLL Sideloading
• Creation Of Non-Existent System DLL
• Creation of WerFault.exe/Wer.dll in Unusual Folder
• DHCP Callout DLL Installation