Tool
Vendor-native detections for T1038
3 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
3 shown of 3acer_quick_access__dll_searchorder_hijacking_and_potential_abuses
Detects (CVE-2019-18670) exploitation attempt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule acer_quick_access__dll_searchorder_hijacking_and_potential_abuses {
meta:
author = "Osman Demir"
description = "Detects (CVE-2019-18670) exploitation attempt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/1FHzWnzis8it"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "persistence, privilege_escalation, defense_evasion, T1038"
events:
(($selection1.metadata.product_event_type = "7" and re.regex($selection1.target.process.file.full_path, `.*/QAAdminAgent\.exe`) and ($selection1.target.process.file.full_path = "C:\\python27\\atiadlxx.dll" or $selection1.target.process.file.full_path = "C:\\python27\\atiadlxy.dll" or $selection1.target.process.file.full_path = "C:\\python27\\nvapi.dll")) or ($selection1.metadata.product_event_type = "11" and ($selection1.target.file.full_path = "C:\\python27\\atiadlxx.dll" or $selection1.target.file.full_path = "C:\\python27\\atiadlxy.dll" or $selection1.target.file.full_path = "C:\\python27\\nvapi.dll")))
condition:
$selection1
}avg_antivirus__avast_antivirus_dll_search_order_hijacking_and_potential_abuses
Detects CVE-2019-17093 exploitation attempt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule avg_antivirus__avast_antivirus_dll_search_order_hijacking_and_potential_abuses {
meta:
author = "Osman Demir"
description = "Detects CVE-2019-17093 exploitation attempt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/R0SEcSK57U7m"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "persistence, privilege_escalation, defense_evasion, T1038"
events:
(($selection1.metadata.product_event_type = "7" and re.regex($selection1.target.process.file.full_path, `.*/AVGSvc\.exe`) and $selection1.target.process.file.full_path = "C:\\Windows\\System32\\wbem\\wbemcomn.dll") or ($selection1.metadata.product_event_type = "11" and ($selection1.target.file.full_path = "C:\\Program Files\\System32\\wbemcomn.dll" or $selection1.target.file.full_path = "C:\\Windows\\System32\\wbem\\wbemcomn.dll")))
condition:
$selection1
}code42_server_dll_search_order_hijack
Detects CVE-2019-16861 exploitation attempt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule code42_server_dll_search_order_hijack {
meta:
author = "Halil Ibrahim Cosgun"
description = "Detects CVE-2019-16861 exploitation attempt License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/2I0t7s1CSogt"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "persistence, privilege_escalation, defense_evasion, T1038"
events:
(($selection1.metadata.product_event_type = "11" and $selection1.target.file.full_path = "C:\\python27\\msvcr120.dll") or ($selection1.metadata.product_event_type = "7" and re.regex($selection1.target.process.file.full_path, `.*\\CrashPlanPROServer\.exe`) and $selection1.target.process.file.full_path = "C:\\python27\\msvcr120.dll"))
condition:
$selection1
}Showing 1-3 of 3