Sigma rules for CVE-2009-1892
3 rules · scoped to cve · back to CVE-2009-1892
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: DHCP Server Error Failed Loading the CallOut DLL
id: 75edd3fd-7146-48e5-9848-3013d7f0282c
status: test
description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: 'Dimitrios Slamaris, @atc_project (fix)'
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID:
- 1031
- 1032
- 1034
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high
title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID: 1033
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Services\DHCPServer\Parameters\CalloutDlls'
- '\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- Unknown
level: high