Detection rules › Sigma
Creation Of Non-Existent System DLL
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1574.001 Hijack Execution Flow: DLL |
| Privilege Escalation | T1574.001 Hijack Execution Flow: DLL |
| Defense Evasion | T1574.001 Hijack Execution Flow: DLL |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
or:
TargetFilename|endswith: ':\Windows\System32\TSMSISrv.dll'
TargetFilename|endswith: ':\Windows\System32\TSVIPSrv.dll'
TargetFilename|endswith: ':\Windows\System32\WLBSCTRL.dll'
TargetFilename|endswith: ':\Windows\System32\WptsExtensions.dll'
TargetFilename|endswith: ':\Windows\System32\axeonoffhelper.dll'
TargetFilename|endswith: ':\Windows\System32\cdpsgshims.dll'
TargetFilename|endswith: ':\Windows\System32\oci.dll'
TargetFilename|endswith: ':\Windows\System32\offdmpsvc.dll'
TargetFilename|endswith: ':\Windows\System32\shellchromeapi.dll'
TargetFilename|endswith: ':\Windows\System32\wbem\wbemcomn.dll'
TargetFilename|endswith: ':\Windows\System32\wow64log.dll'
TargetFilename|endswith: '\SprintCSP.dll'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | ends_with |
|