security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added SprintCSP.dll for StorSvc DLL Hijack

Browse Source
This commit is contained in:
fornotes
2023-02-15 11:37:18 +00:00
committed by GitHub
parent c42db7489d
commit 8876b4ba01
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
+2
View File
@@ -11,6 +11,7 @@ references:
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://github.com/Wh04m1001/SysmonEoP
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/12/01
modified: 2022/12/09
@@ -30,6 +31,7 @@ detection:
- 'C:\Windows\System32\TSMSISrv.dll'
- 'C:\Windows\System32\TSVIPSrv.dll'
- 'C:\Windows\System32\wow64log.dll'
TargetFileName|endswith: '\SprintCSP.dll'
filter:
Image|startswith: 'C:\Windows\System32\'
condition: selection and not filter