mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 01:15:17 +00:00
16 lines
484 B
YAML
16 lines
484 B
YAML
alert:
|
|
- debug
|
|
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
|
|
filter:
|
|
- query:
|
|
query_string:
|
|
query: ((data.win.eventdata.image.keyword:(*fxssvc.exe) AND ImageLoaded.keyword:(*ualapi.dll)) AND (NOT (ImageLoaded.keyword:(C\:\\Windows\\WinSxS\\*))))
|
|
index: wazuh-alerts-3.x-*
|
|
name: 828af599-4c53-4ed2-ba4a-a9f835c434ea_0
|
|
priority: 2
|
|
realert:
|
|
minutes: 0
|
|
type: any
|
|
|
|
|