sigmaDRL-1.1from SigmaHQ/sigma
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Quality
98
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml
title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
- https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.persistence
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\arubanetsvc.exe'
ImageLoaded|endswith:
- '\wtsapi32.dll'
- '\msvcr100.dll'
- '\msvcp100.dll'
- '\dbghelp.dll'
- '\dbgcore.dll'
- '\wininet.dll'
- '\iphlpapi.dll'
- '\version.dll'
- '\cryptsp.dll'
- '\cryptbase.dll'
- '\wldp.dll'
- '\profapi.dll'
- '\sspicli.dll'
- '\winsta.dll'
- '\dpapi.dll'
filter:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
level: high