alert:
- debug
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
filter:
- query:
    query_string:
      query: ((data.win.eventdata.image.keyword:(*fxssvc.exe) AND ImageLoaded.keyword:(*ualapi.dll)) AND (NOT (ImageLoaded.keyword:(C\:\\Windows\\WinSxS\\*))))
index: wazuh-alerts-3.x-*
name: 828af599-4c53-4ed2-ba4a-a9f835c434ea_0
priority: 2
realert:
  minutes: 0
type: any