Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

APT PRIVATELOG Image Load Pattern

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Tue Sep 07Updated Sun Oct 0933a2d1dd-f3b0-40bd-8baf-7974468927cc2021
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\svchost.exe'
        ImageLoaded|endswith: '\clfsw32.dll'
    condition: selection
False Positives

Rarely observed

References
1
Resolving title…
web.archive.org
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
33a2d1dd-f3b0-40bd-8baf-7974468927cc
Status
test
Level
high
Type
Emerging Threat
Created
Tue Sep 07
Modified
Sun Oct 09
Author
Florian Roth (Nextron Systems)
Path
rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1055detection.emerging-threats
View on GitHub