Unsigned Module Loaded by ClickOnce Application
Detects unsigned module load by ClickOnce application.
Sigma rule (View on GitHub)
1title: Unsigned Module Loaded by ClickOnce Application
2id: 060d5ad4-3153-47bb-8382-43e5e29eda92
3status: test
4description: Detects unsigned module load by ClickOnce application.
5references:
6 - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
7author: '@SerkinValery'
8date: 2023-06-08
9tags:
10 - attack.persistence
11 - attack.t1574.002
12logsource:
13 category: image_load
14 product: windows
15detection:
16 selection_path:
17 Image|contains: '\AppData\Local\Apps\2.0\'
18 selection_sig_status:
19 - Signed: 'false'
20 - SignatureStatus: 'Expired'
21 condition: all of selection_*
22falsepositives:
23 - Unlikely
24level: medium
References
-
The contents of this blogpost was written by Nick Powers (@zyn3rgy) and Steven Flores (@0xthirteen), and is a written version of the…
Read More
Related rules
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Fax Service DLL Search Order Hijack