Detectionhightest

Fax Service DLL Search Order Hijack

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

NVISOCreated Mon May 04Updated Thu Jun 02828af599-4c53-4ed2-ba4a-a9f835c434eawindows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\fxssvc.exe'
        ImageLoaded|endswith: 'ualapi.dll'
    filter:
        ImageLoaded|startswith: 'C:\Windows\WinSxS\'
    condition: selection and not filter

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

windows-internals.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

828af599-4c53-4ed2-ba4a-a9f835c434ea

Status

test

Level

high

Type

Detection

Created

Mon May 04

Modified

Thu Jun 02

Author

NVISO

Path

rules/windows/image_load/image_load_side_load_ualapi.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001

View on GitHub