Execution DLL of Choice Using WAB.EXE
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
Sigma rule (View on GitHub)
1title: Execution DLL of Choice Using WAB.EXE
2id: fc014922-5def-4da9-a0fc-28c973f41bfb
3status: test
4description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
5references:
6 - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
7 - https://twitter.com/Hexacorn/status/991447379864932352
8 - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
9author: oscd.community, Natalia Shornikova
10date: 2020/10/13
11modified: 2023/08/17
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
21 filter:
22 Details: '%CommonProgramFiles%\System\wab32.dll'
23 condition: selection and not filter
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
- WSL Child Process Anomaly
- Potential Binary Proxy Execution Via VSDiagnostics.EXE
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution