Techniques
Sample rules
Files With System DLL Name In Unsuspected Locations
- source: sigma
- technicques:
- t1036
- t1036.005
Description
Detects the creation of a file with the “.dll” extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of “System32”, “SysWOW64”, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
TargetFilename|contains:
- C:\$WINDOWS.~BT\
- C:\$WinREAgent\
- C:\Windows\SoftwareDistribution\
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
- C:\Windows\uus\
selection:
TargetFilename|endswith:
- \secur32.dll
- \tdh.dll