Potential Persistence Via AutodialDLL

Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library

Sigma rule (View on GitHub)

 1title: Potential Persistence Via AutodialDLL
 2id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3
 3status: test
 4description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
 5references:
 6    - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
 7    - https://persistence-info.github.io/Data/autodialdll.html
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-08-10
10modified: 2023-08-17
11tags:
12    - attack.persistence
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\Services\WinSock2\Parameters\AutodialDLL'
19    condition: selection
20falsepositives:
21    - Unlikely
22level: high

References

Related rules

to-top