valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-09 02:26:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d1e447a3fd
SigmaHQ/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml

30 lines
1006 B
YAML
Raw Normal View History

Added rules files split into folders
2020-06-10 14:32:30 +00:00
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: experimental
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the
DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
date: 2017/05/15
author: Dimitrios Slamaris
tags:
- attack.defense_evasion
att&ck tags review: windows/registry_event
2020-09-06 19:08:27 +00:00
- attack.t1073 # an old one
- attack.t1574.002
Added rules files split into folders
2020-06-10 14:32:30 +00:00
- attack.t1112
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject:
- '*\Services\DHCPServer\Parameters\CalloutDlls'
- '*\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- unknown
level: high
Reference in New Issue Copy Permalink