DLL Load By System Process From Suspicious Locations
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
Sigma rule (View on GitHub)
1title: DLL Load By System Process From Suspicious Locations
2id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
3status: experimental
4description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
5references:
6 - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/07/17
9modified: 2023/09/18
10tags:
11 - attack.defense_evasion
12 - attack.t1070
13logsource:
14 product: windows
15 category: image_load
16detection:
17 selection:
18 Image|startswith: 'C:\Windows\'
19 ImageLoaded|startswith:
20 # TODO: Add more suspicious paths as you see fit in your env
21 - 'C:\Users\Public\'
22 - 'C:\PerfLogs\'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- Fsutil Suspicious Invocation
- Filter Driver Unloaded Via Fltmc.EXE
- Sysmon Driver Unloaded Via Fltmc.EXE
- Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
- Terminal Server Client Connection History Cleared - Registry