SigmaHQ/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml

title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
status: experimental
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml
    - https://twitter.com/Hexacorn/status/991447379864932352
    - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
tags:
    - attack.defense_evasion
    - attack.t1218
date: 2020/10/13
modified: 2021/05/21
author: oscd.community, Natalia Shornikova
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
    filter:
        Details: '%CommonProgramFiles%\System\wab32.dll'
    condition: selection and not filter
falsepositives: 
 - Unknown
level: high
Update sysmon_wab_dllpath_reg_change.yml 2020-10-17 21:19:27 +00:00			`title: Execution DLL of Choice Using WAB.EXE`
Adding sysmon_wab_dllpath_reg_change.yml Rule 2020-10-15 14:28:24 +00:00			`id: fc014922-5def-4da9-a0fc-28c973f41bfb`
Update sysmon_wab_dllpath_reg_change.yml 2020-10-17 21:19:27 +00:00			`description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.`
Adding sysmon_wab_dllpath_reg_change.yml Rule 2020-10-15 14:28:24 +00:00			`status: experimental`
			`references:`
			`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml`
			`- https://twitter.com/Hexacorn/status/991447379864932352`
			`- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1218`
			`date: 2020/10/13`
$frack113$ Fix falsepositives list 2021-05-21 09:12:04 +00:00			`modified: 2021/05/21`
Adding sysmon_wab_dllpath_reg_change.yml Rule 2020-10-15 14:28:24 +00:00			`author: oscd.community, Natalia Shornikova`
			`logsource:`
			`category: registry_event`
			`product: windows`
			`detection:`
			`selection:`
			`TargetObject\|endswith: '\Software\Microsoft\WAB\DLLPath'`
			`filter:`
			`Details: '%CommonProgramFiles%\System\wab32.dll'`
			`condition: selection and not filter`
$frack113$ Fix falsepositives list 2021-05-21 09:12:04 +00:00			`falsepositives:`
			`- Unknown`
Adding sysmon_wab_dllpath_reg_change.yml Rule 2020-10-15 14:28:24 +00:00			`level: high`