From 8ff85499c8e88928b95eaa79d37182b7f040aee8 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 28 Oct 2019 12:03:03 +0100
Subject: [PATCH] rule: svchost dll search order hijack

---
 ...sysmon_svchost_dll_search_order_hijack.yml | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml

diff --git a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml
new file mode 100644
index 00000000..19bdb147
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml
@@ -0,0 +1,35 @@
+title: Svchost DLL Search Order Hijack
+status: experimental
+description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
+references:
+    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+author: SBousseaden
+date: 2019/10/28
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1073
+    - attack.t1038
+    - attack.t1112
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\svchost.exe'
+        ImageLoaded:
+            - '*\tsmsisrv.dll'
+            - '*\tsvipsrv.dll'
+            - '*\wlbsctrl.dll'
+    filter:
+        EventID: 7
+        Image:
+            - '*\svchost.exe'
+        ImageLoaded:
+            - 'C:\Windows\WinSxS\*'        
+    condition: selection and not filter
+falsepositives:
+    - Pentest
+level: high
\ No newline at end of file