security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/image_load/image_load_side_load_wazuh.yml
T
Nasreddine Bencherchali bb7aabb4b4 chore: author update
2023-04-12 16:11:58 +02:00

32 lines
1.0 KiB
YAML
Raw Blame History

title: Potential Wazuh Security Platform DLL Sideloading
id: db77ce78-7e28-4188-9337-cf30e2b3ba9f
status: experimental
description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023/03/13
modified: 2023/03/23
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\libwazuhshared.dll'
- '\libwinpthread-1.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not filter
falsepositives:
- Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)
level: medium
Reference in New Issue View Git Blame Copy Permalink