rule: svchost dll search order hijack

2024-11-08 02:08:54 +00:00 · 2019-10-28 12:03:03 +01:00 · 2019-10-28 12:03:03 +01:00 · 8ff85499c8
commit 8ff85499c8
parent 1a3444d0ef
1 changed files with 35 additions and 0 deletions
--- a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml
+++ b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml
@ -0,0 +1,35 @@
+title: Svchost DLL Search Order Hijack
+status: experimental
+description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
+references:
+    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+author: SBousseaden
+date: 2019/10/28
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1073
+    - attack.t1038
+    - attack.t1112
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\svchost.exe'
+        ImageLoaded:
+            - '*\tsmsisrv.dll'
+            - '*\tsvipsrv.dll'
+            - '*\wlbsctrl.dll'
+    filter:
+        EventID: 7
+        Image:
+            - '*\svchost.exe'
+        ImageLoaded:
+            - 'C:\Windows\WinSxS\*'        
+    condition: selection and not filter
+falsepositives:
+    - Pentest
+level: high