Unsigned Module Loaded by ClickOnce Application
Detects unsigned module load by ClickOnce application.
Sigma rule (View on GitHub)
1title: Unsigned Module Loaded by ClickOnce Application
2id: 060d5ad4-3153-47bb-8382-43e5e29eda92
3status: test
4description: Detects unsigned module load by ClickOnce application.
5references:
6 - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
7author: '@SerkinValery'
8date: 2023-06-08
9tags:
10 - attack.privilege-escalation
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.t1574.001
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection_path:
19 Image|contains: '\AppData\Local\Apps\2.0\'
20 selection_sig_status:
21 - Signed: 'false'
22 - SignatureStatus: 'Expired'
23 condition: all of selection_*
24falsepositives:
25 - Unlikely
26level: medium
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL