Registry Modification for OCI DLL Redirection

Severity: high
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry, `T1574.001` Hijack Execution Flow: DLL
Privilege Escalation	`T1574.001` Hijack Execution Flow: DLL
Defense Evasion	`T1112` Modify Registry, `T1574.001` Hijack Execution Flow: DLL

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection_ocilib`

TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'

Stage 2: `not filter_main_ocilib_file`

Details|contains: oci.dll

Stage 3: `selection_ocilibpath`

TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'

Stage 4: `not filter_main_ocilibpath`

Details|contains: '%SystemRoot%\System32\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	match	`%SystemRoot%\System32\` `oci.dll`
`TargetObject`	ends_with	`\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib` `\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath`

Registry Modification for OCI DLL Redirection

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: selection_ocilib

Stage 2: not filter_main_ocilib_file

Stage 3: selection_ocilibpath

Stage 4: not filter_main_ocilibpath

Indicators

Stage 1: `selection_ocilib`

Stage 2: `not filter_main_ocilib_file`

Stage 3: `selection_ocilibpath`

Stage 4: `not filter_main_ocilibpath`