Threat Huntlowtest

System Drawing DLL Load

Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sat May 02Updated Wed Feb 22666ecfc7-229d-42b8-821e-1a8f8cb7057cwindows

Hunting Hypothesis

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith: '\System.Drawing.ni.dll'
    condition: selection

False Positives

False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness

References

MITRE ATT&CK

Tactics

TA0009 · Collection

Techniques

T1113 · Screen Capture

Other

detection.threat-hunting

Rule Metadata

Rule ID

666ecfc7-229d-42b8-821e-1a8f8cb7057c

Status

test

Level

low

Type

Threat Hunt

Created

Sat May 02

Modified

Wed Feb 22

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml

Raw Tags

attack.collectionattack.t1113detection.threat-hunting

View on GitHub