SigmaHQ/rules/windows/builtin/win_susp_phantom_dll.yml

title: Detects Phantom DLLs usage
description: Detects Phantom DLLs usage and matching executable
status: experimental
reference: 
    - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/
author: juju4
logsource:
    product: windows
    service: security
    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection:
        EventID: 4688
        CommandLine: 
            - '*ntbackup*'
            - '*\edbbcli.dll*'
            - '*\esebcli2.dll*'
#            - '*mrt*'
            - '*\bcrypt.dll*'
            - '*sessmgr*'
            - '*\SalemHook.dll*'
            - '*certreq*'
            - '*\msfte.dll*'
            - '*\mstracer.dll*'
            - '*fxscover*'
            - '*\TPPrnUIENU.dll*'
            - '*dxdiag*'
            - '*\DXGIDebug.dll*'
            - '*msinfo32*'
            - '*\fveapi.dll*'
            - '*narrator*'
            - '*\MSTTSLocEnUS.dll*'
            - '*\Wow64Log.dll*'
            - '*Dism*'
            - '*\Dism\wimgapi.dll*'
            - '*\DismCore.dll*'
            - '*FileHistory*'
            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
            - '*\Microsoft.NET\Framework\v4.0.30319\urlmon.dll*'
#            - '*mmc*'
            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll*'
            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll*'
            - '*\Microsoft.Net\assembly\GAC_MSIL\MIGUIControls\v4.0_1.0.0.0__31bf3856ad364e35\ntdll.dll*'
            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll*'
            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll*'
            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
            - '*\Microsoft.NET\Framework\v4.0.30319\VERSION.dll*'
            - '*Narrator*'
            - '*speech\engines\tts\MSTTSLocEnUS.DLL'
            - '*omadmclient*'
            - '*cmnet.dll*'
            - '*PresentationHost*'
            - '*\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll*'
            - '*provtool*'
            - '*MvHelper.dll*'
            - '*SearchIndexer*'
            - '*msfte.dll*'
            - '*msTracer.dll*'
            - '*SearchProtocolHost*'
            - '*msfte.dll*'
            - '*msTracer.dll*'
    condition: selection
falsepositives: 
    - False positives depend on environment
level: medium