Emerging Threathightest
Lazarus APT DLL Sideloading Activity
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Thurein Oo, Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 1824007168-a26b-4049-90d0-ce138e13a5cf2023
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic4 selectors
detection:
selection_mscoree:
Image: 'C:\ProgramShared\PresentationHost.exe'
ImageLoaded: ':\ProgramShared\mscoree.dll'
selection_colorui:
Image: 'C:\ProgramData\Adobe\colorcpl.exe'
ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll'
selection_mapistub:
Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe'
ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll'
selection_hid:
Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe'
ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll'
condition: 1 of selection_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Sub-techniques
Groups
Other
detection.emerging-threats
Rule Metadata
Rule ID
24007168-a26b-4049-90d0-ce138e13a5cf
Status
test
Level
high
Type
Emerging Threat
Created
Wed Oct 18
Path
rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.persistenceattack.t1574.001attack.g0032detection.emerging-threats