Detectionmediumtest

Unsigned Module Loaded by ClickOnce Application

Detects unsigned module load by ClickOnce application.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@serkinvaleryCreated Thu Jun 08060d5ad4-3153-47bb-8382-43e5e29eda92windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection_path:
        Image|contains: '\AppData\Local\Apps\2.0\'
    selection_sig_status:
        - Signed: 'false'
        - SignatureStatus: 'Expired'
    condition: all of selection_*

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

posts.specterops.io

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0005 · Defense Evasion TA0003 · Persistence

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

060d5ad4-3153-47bb-8382-43e5e29eda92

Status

test

Level

medium

Type

Detection

Created

Thu Jun 08

Author

@serkinvalery

Path

rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml

Raw Tags

attack.privilege-escalationattack.defense-evasionattack.persistenceattack.t1574.001

View on GitHub