Registry Modification for OCI DLL Redirection

 1title: Registry Modification for OCI DLL Redirection
 2id: c0e0bdec-3e3d-47aa-9974-05539c999c89
 3status: experimental
 4description: |
 5    Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
 6    Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.    
 7references:
 8    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2026-01-24
11tags:
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.defense-evasion
15    - attack.t1112
16    - attack.t1574.001
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection_ocilib:
22        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
23    filter_main_ocilib_file:
24        # it is looking when oci.dll name is changed to something else like evil.dll
25        Details|contains: 'oci.dll'
26    selection_ocilibpath:
27        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
28    filter_main_ocilibpath:
29        # it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
30        Details|contains: '%SystemRoot%\System32\'
31    condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
32falsepositives:
33    - Unlikely
34level: high