rules/windows/image_load/image_load_side_load_ualapi.yml

title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: test
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
references:
    - https://windows-internals.com/faxing-your-way-to-system/
author: NVISO
date: 2020-05-04
modified: 2022-06-02
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\fxssvc.exe'
        ImageLoaded|endswith: 'ualapi.dll'
    filter:
        ImageLoaded|startswith: 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`title: Fax Service DLL Search Order Hijack`
			`id: 828af599-4c53-4ed2-ba4a-a9f835c434ea`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`- https://windows-internals.com/faxing-your-way-to-system/`
			`author: NVISO`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2020-05-04`
			`modified: 2022-06-02`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`tags:`
			`- attack.persistence`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`- attack.t1574.001`
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`logsource:`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`category: image_load`
			`product: windows`
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`detection:`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`selection:`
			`Image\|endswith: '\fxssvc.exe'`
			`ImageLoaded\|endswith: 'ualapi.dll'`
			`filter:`
			`ImageLoaded\|startswith: 'C:\Windows\WinSxS\'`
			`condition: selection and not filter`
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`falsepositives:`
$frack113$ Order yaml field 2022-10-26 09:42:26 +02:00			`- Unlikely`
refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00			`level: high`