From c7e772eff9d858a4e526f2c02c35eefe6ab2dd70 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Wed, 14 Dec 2022 19:24:32 +0100
Subject: [PATCH] Add image_load_side_load_jsschhlp

---
 .../image_load_side_load_jsschhlp.yml         | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/windows/image_load/image_load_side_load_jsschhlp.yml

diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml
new file mode 100644
index 000000000..2be0ab53d
--- /dev/null
+++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml
@@ -0,0 +1,26 @@
+title: Potential DLL Sideloading Via JsSchHlp
+id: 68654bf0-4412-43d5-bfe8-5eaa393cd939
+status: experimental
+description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
+references:
+    - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
+author: frack113
+date: 2022/12/14
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1574.001
+    - attack.t1574.002
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith: '\JSESPR.dll'
+    filter:
+        ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: medium