Merge pull request #4039 from fornotes/master

Added New Rule for LPE via StorSvc DLL Hijack

rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml

@@ -1,4 +1,4 @@
-title: Creation Of Non-Existent DLLs In System Folders
+title: Creation Of Non-Existent System DLL
 id: df6ecb8b-7822-4f4b-b412-08f524b4576c
 related:
     - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
@@ -11,9 +11,10 @@ references:
     - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
     - https://github.com/Wh04m1001/SysmonEoP
     - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-author: Nasreddine Bencherchali (Nextron Systems)
+    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
+author: Nasreddine Bencherchali (Nextron Systems), fornotes
 date: 2022/12/01
-modified: 2022/12/09
+modified: 2023/02/15
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -25,11 +26,12 @@ logsource:
     category: file_event
 detection:
     selection:
-        TargetFilename:
+        - TargetFilename:
             - 'C:\Windows\System32\WLBSCTRL.dll'
             - 'C:\Windows\System32\TSMSISrv.dll'
             - 'C:\Windows\System32\TSVIPSrv.dll'
             - 'C:\Windows\System32\wow64log.dll'
+        - TargetFilename|endswith: '\SprintCSP.dll'
     filter:
         Image|startswith: 'C:\Windows\System32\'
     condition: selection and not filter