blue-team-tools/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml

title: BlueMashroom DLL Load
id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
status: test
description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
author: Florian Roth, Tim Shelton
references:
  - https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software
date: 2019/10/02
modified: 2022/03/02
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    - CommandLine|contains|all:
      - '\regsvr32'
      - '\AppData\Local\'
    - CommandLine|contains|all:
      - '\AppData\Local\'
      - ',DllEntry'
  filter_1:
    - CommandLine|contains: 'AppData\Local\Microsoft\TeamsMeetingAddin\'
    - CommandLine|endswith:
      - '\x86\Microsoft.Teams.AddinLoader.dll'
      - '\x86\Microsoft.Teams.AddinLoader.dll"'
      - '\x64\Microsoft.Teams.AddinLoader.dll'
      - '\x64\Microsoft.Teams.AddinLoader.dll"'
  condition: selection and not 1 of filter*
falsepositives:
  - Unlikely
level: critical
tags:
  - attack.defense_evasion
  - attack.t1218.010