Unsigned Module Loaded by ClickOnce Application
Detects unsigned module load by ClickOnce application.
Sigma rule (View on GitHub)
1title: Unsigned Module Loaded by ClickOnce Application
2id: 060d5ad4-3153-47bb-8382-43e5e29eda92
3status: test
4description: Detects unsigned module load by ClickOnce application.
5references:
6 - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
7author: '@SerkinValery'
8date: 2023-06-08
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.execution
13 - attack.stealth
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection_path:
20 Image|contains: '\AppData\Local\Apps\2.0\'
21 selection_sig_status:
22 - Signed: 'false'
23 - SignatureStatus: 'Expired'
24 condition: all of selection_*
25falsepositives:
26 - Unlikely
27level: medium
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation