← Library
sigmaDRL-1.1from SigmaHQ/sigma

Execution DLL of Choice Using WAB.EXE

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
status: test
description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
    - https://twitter.com/Hexacorn/status/991447379864932352
    - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
author: oscd.community, Natalia Shornikova
date: 2020-10-13
modified: 2023-08-17
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
    filter:
        Details: '%CommonProgramFiles%\System\wab32.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high