Emerging Threatcriticaltest

FoggyWeb Backdoor DLL Loading

Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Mon Sep 27Updated Fri Dec 09640dc51c-7713-4faa-8a0e-e7c0d9d4654c2021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded: 'C:\Windows\ADFS\version.dll'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

Techniques

Other

detection.emerging-threats

Rule Metadata

Rule ID

640dc51c-7713-4faa-8a0e-e7c0d9d4654c

Status

test

Level

critical

Type

Emerging Threat

Created

Mon Sep 27

Modified

Fri Dec 09

Author

Path

rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml

Raw Tags

attack.resource-developmentattack.t1587detection.emerging-threats