From c7e772eff9d858a4e526f2c02c35eefe6ab2dd70 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 14 Dec 2022 19:24:32 +0100 Subject: [PATCH 1/2] Add image_load_side_load_jsschhlp --- .../image_load_side_load_jsschhlp.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/image_load/image_load_side_load_jsschhlp.yml diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml new file mode 100644 index 000000000..2be0ab53d --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml @@ -0,0 +1,26 @@ +title: Potential DLL Sideloading Via JsSchHlp +id: 68654bf0-4412-43d5-bfe8-5eaa393cd939 +status: experimental +description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor +references: + - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ +author: frack113 +date: 2022/12/14 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\JSESPR.dll' + filter: + ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium From cc658743e640fe18f4da89b2ab9e00642da58190 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 23:25:13 +0100 Subject: [PATCH 2/2] fix: add additional reference --- rules/windows/image_load/image_load_side_load_jsschhlp.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml index 2be0ab53d..43ef42e0b 100644 --- a/rules/windows/image_load/image_load_side_load_jsschhlp.yml +++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml @@ -4,6 +4,7 @@ status: experimental description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor references: - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ + - http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp author: frack113 date: 2022/12/14 tags: