valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1425ede905
SigmaHQ/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml

25 lines
908 B
YAML
Raw Normal View History

update - GitHub Action / Test Sigma
2020-10-13 01:58:02 +00:00
title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack
10 rules from THP - contributing soon
2020-10-12 19:42:34 +00:00
id: c39f0c81-7348-4965-ab27-2fde35a1b641
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
status: experimental
date: 2020/10/12
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.t1021.003
references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html
logsource:
product: windows
service: security
detection:
Fixes&improvements
2021-04-07 22:32:01 +00:00
selection:
10 rules from THP - contributing soon
2020-10-12 19:42:34 +00:00
EventID: 5145
Fixes&improvements
2021-04-07 22:32:01 +00:00
RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
10 rules from THP - contributing soon
2020-10-12 19:42:34 +00:00
filter:
Fixes&improvements
2021-04-07 22:32:01 +00:00
SubjectUserName|endswith: '$'
10 rules from THP - contributing soon
2020-10-12 19:42:34 +00:00
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Reference in New Issue Copy Permalink