security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/image_load/image_load_malware_foggyweb_nobelium.yml
T
Nasreddine Bencherchali 68c052aab7 feat: updates and fixes
2023-02-17 17:51:44 +01:00

23 lines
723 B
YAML
Raw Blame History

title: FoggyWeb Backdoor DLL Loading
id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
status: test
description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
references:
- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Florian Roth (Nextron Systems)
date: 2021/09/27
modified: 2022/12/09
tags:
- attack.resource_development
- attack.t1587
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded: 'C:\Windows\ADFS\version.dll'
condition: selection
falsepositives:
- Unlikely
level: critical
Reference in New Issue View Git Blame Copy Permalink