splApache-2.0from splunk/security_content
Process Writing DynamicWrapperX
The following analytic detects a process writing the dynwrapx.dll file to disk and registering it in the registry. It leverages data from the Endpoint datamodel, specifically monitoring process and filesystem events. This activity is significant because DynamicWrapperX is an ActiveX component often used in scripts to call Windows API functions, and its presence in non-standard locations is highly suspicious. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or maintain persistence within the environment. Immediate investigation of parallel processes and registry modifications is recommended.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/process_writing_dynamicwrapperx.yml
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.file_name="dynwrapx.dll"
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `process_writing_dynamicwrapperx_filter`