Detection rules › Splunk
Windows Remote Access Software BRC4 Loaded Dll
The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping |
| Command & Control | T1219 Remote Access Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: search
search EventCode=7
Stage 2: search
search span="30s"
Stage 3: eval
eval ... using (1, OriginalFileName)
Stage 4: eval
eval ... using (1, ImageLoaded)
Stage 5: stats
stats BY Image, BRC4_LoadedDllPath, BRC4_AnomalyLoadedDll, dest, Signed
Stage 6: where
where
Stage 7: search
search
Stage 8: search
search
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
span | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- UAC Bypass MMC Load Unsigned Dll (adds 4 filters)
- Windows Unsigned DLL Side-Loading (adds 4 filters)
- Windows Unsigned MS DLL Side-Loading (adds 4 filters)
- Spoolsv Suspicious Loaded Modules (adds 3 filters)
- UAC Bypass With Colorui COM Object (adds 3 filters)
- Windows BitDefender Submission Wizard DLL Sideloading (adds 3 filters)
- Windows DLL Module Loaded in Temp Dir (adds 3 filters)
- Windows DLL Side-Loading In Calc (adds 3 filters)
- Windows NetSupport RMM DLL Loaded By Uncommon Process (adds 3 filters)
- Windows SqlWriter SQLDumper DLL Sideload (adds 3 filters)
- Windows Unsigned DLL Side-Loading In Same Process Path (adds 3 filters)
- CMLUA Or CMSTPLUA UAC Bypass (adds 2 filters)
- MS Scripting Process Loading Ldap Module (adds 2 filters)
- MS Scripting Process Loading WMI Module (adds 2 filters)
- MSI Module Loaded by Non-System Binary (adds 2 filters)
- Wbemprox COM Object Execution (adds 2 filters)
- Windows Credentials Access via VaultCli Module (adds 2 filters)
- Windows Executable in Loaded Modules (adds 2 filters)
- Windows Hijack Execution Flow Version Dll Side Load (adds 2 filters)
- Windows InstallUtil Credential Theft (adds 2 filters)
- Windows MMC Loaded Script Engine DLL (adds 2 filters)
- Windows Office Product Loaded MSHTML Module (adds 2 filters)
- Windows Office Product Loading Taskschd DLL (adds 2 filters)
- Windows Office Product Loading VBE7 DLL (adds 2 filters)
- Windows Scheduled Task DLL Module Loaded (adds 2 filters)
- Windows Unusual Process Load Mozilla NSS-Mozglue Module (adds 2 filters)
- Loading Of Dynwrapx Module (adds 1 filter)
- Windows DLL Search Order Hijacking Hunt with Sysmon (adds 1 filter)
- Windows Gather Victim Identity SAM Info (adds 1 filter)
- Windows Input Capture Using Credential UI Dll (adds 1 filter)
- Windows Known Abused DLL Loaded Suspiciously (adds 1 filter)
- Windows Known GraphicalProton Loaded Modules (adds 1 filter)
- Windows SpeechRuntime COM Hijacking DLL Load (adds 1 filter)