2022-02-03 18:54:34 +01:00
|
|
|
title: Suspicious Load of Advapi31.dll
|
|
|
|
|
id: d813d662-785b-42ca-8b4a-f7457d78d5a9
|
|
|
|
|
status: experimental
|
2022-02-03 22:00:24 +01:00
|
|
|
description: Detects the load of advapi31.dll by a process running in an uncommon folder
|
2022-02-03 18:54:34 +01:00
|
|
|
author: frack113
|
|
|
|
|
references:
|
|
|
|
|
- https://github.com/hlldz/Phant0m
|
|
|
|
|
date: 2022/02/03
|
2022-02-12 00:44:42 +01:00
|
|
|
modified: 2022/02/11
|
2022-02-03 18:54:34 +01:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
category: image_load
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
ImageLoaded|endswith: '\advapi32.dll'
|
2022-02-03 22:00:24 +01:00
|
|
|
filter_common:
|
2022-02-03 18:54:34 +01:00
|
|
|
Image|startswith:
|
|
|
|
|
- 'C:\Windows\'
|
|
|
|
|
- 'C:\Program Files (x86)\'
|
|
|
|
|
- 'C:\Program Files\'
|
|
|
|
|
filter_defender:
|
|
|
|
|
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\platform\'
|
|
|
|
|
Image|endswith: '\MpCmdRun.exe'
|
2022-02-04 09:32:29 +01:00
|
|
|
filter_onedrive:
|
|
|
|
|
Image|startswith: 'C:\Users\'
|
|
|
|
|
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
|
|
|
|
|
Image|endswith: 'FileCoAuth.exe'
|
2022-02-03 18:54:34 +01:00
|
|
|
condition: selection and not 1 of filter_*
|
|
|
|
|
falsepositives:
|
2022-03-16 13:43:54 +01:00
|
|
|
- Unknown
|
2022-02-12 00:44:42 +01:00
|
|
|
level: informational
|
2022-02-03 18:54:34 +01:00
|
|
|
tags:
|
|
|
|
|
- attack.defense_evasion
|
|
|
|
|
- attack.t1070
|
