Potential Persistence Via AutodialDLL
Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
Sigma rule (View on GitHub)
1title: Potential Persistence Via AutodialDLL
2id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3
3status: test
4description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
5references:
6 - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
7 - https://persistence-info.github.io/Data/autodialdll.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-08-10
10modified: 2023-08-17
11tags:
12 - attack.persistence
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\Services\WinSock2\Parameters\AutodialDLL'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
-
Autodial DLL Location: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AutodialDLL Classification: Criteria Value Permissions Admin Security context System Persistence type Registry Code...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint