Potential Persistence Via AutodialDLL
Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
Sigma rule (View on GitHub)
1title: Potential Persistence Via AutodialDLL
2id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3
3status: experimental
4description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
5references:
6 - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
7 - https://persistence-info.github.io/Data/autodialdll.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/10
10modified: 2023/08/17
11tags:
12 - attack.persistence
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\Services\WinSock2\Parameters\AutodialDLL'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
-
Ability to load a DLL of your choice anytime someone is connecting to the internet is something that definitely deserves some attention. This is why I will describe here yet another obscure mechani...
Read More -
Autodial DLL Location: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AutodialDLL Classification: Criteria Value Permissions Admin Security context System Persistence type Registry Code...
Read More
Related rules
- Add Debugger Entry To AeDebug For Persistence
- Add Debugger Entry To Hangs Key For Persistence
- Bypass UAC Using Event Viewer
- COM Hijacking via TreatAs
- Classes Autorun Keys Modification